From eacea1d45d4dbbbd7274dee0dfaa8dccc2316f09 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 16 Jan 2009 21:32:59 +0000 Subject: [PATCH] - Define openoffice as an x_domain --- modules-mls.conf | 2 +- policy-20090105.patch | 578 ++++++++++++++++++++++++++---------------- selinux-policy.spec | 5 +- 3 files changed, 365 insertions(+), 220 deletions(-) diff --git a/modules-mls.conf b/modules-mls.conf index 89fc9e71..aeefd89c 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1327,7 +1327,7 @@ wine = module # # X windows window manager # -wm = module +#wm = module # Layer: admin # Module: tzdata diff --git a/policy-20090105.patch b/policy-20090105.patch index b1b04475..4af6e1b5 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -1138,7 +1138,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol java_domtrans_unconfined(rpm_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.2/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/admin/sudo.if 2009-01-05 17:54:58.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/admin/sudo.if 2009-01-13 15:12:44.000000000 -0500 @@ -51,7 +51,7 @@ # @@ -1202,7 +1202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg($1_sudo_t) miscfiles_read_localization($1_sudo_t) -@@ -114,6 +120,31 @@ +@@ -114,6 +120,35 @@ userdom_manage_user_tmp_files($1_sudo_t) userdom_manage_user_tmp_symlinks($1_sudo_t) userdom_use_user_terminals($1_sudo_t) @@ -1233,6 +1233,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_use_user_terminals($1_sudo_t) + term_relabel_all_user_ttys($1_sudo_t) + term_relabel_all_user_ptys($1_sudo_t) ++ ++ optional_policy(` ++ dbus_system_bus_client($1_sudo_t) ++ ') ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.2/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-11-11 16:13:49.000000000 -0500 @@ -2929,8 +2933,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.2/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/apps/openoffice.if 2009-01-05 17:54:58.000000000 -0500 -@@ -0,0 +1,89 @@ ++++ serefpolicy-3.6.2/policy/modules/apps/openoffice.if 2009-01-15 08:48:06.000000000 -0500 +@@ -0,0 +1,92 @@ +## Openoffice + +####################################### @@ -3019,6 +3023,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $3 $1_openoffice_t:process { signal sigkill }; + allow $1_openoffice_t $3:unix_stream_socket connectto; ++ optional_policy(` ++ xserver_common_x_domain_template($1, $1_openoffice_t) ++ ') +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.2/policy/modules/apps/openoffice.te --- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 @@ -3084,7 +3091,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.2/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/apps/podsleuth.te 2009-01-05 17:54:58.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/apps/podsleuth.te 2009-01-15 11:07:09.000000000 -0500 @@ -11,21 +11,58 @@ application_domain(podsleuth_t, podsleuth_exec_t) role system_r types podsleuth_t; @@ -3102,7 +3109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - -allow podsleuth_t self:process { signal getsched execheap execmem }; +allow podsleuth_t self:capability { sys_admin sys_rawio }; -+allow podsleuth_t self:process { ptrace signal getsched execheap execmem }; ++allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack }; allow podsleuth_t self:fifo_file rw_file_perms; allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; +allow podsleuth_t self:sem create_sem_perms; @@ -3992,7 +3999,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +xserver_user_x_domain_template(user, wm_t, wm_tmpfs_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.2/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/kernel/corecommands.fc 2009-01-05 17:54:58.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/kernel/corecommands.fc 2009-01-16 09:03:35.000000000 -0500 @@ -130,6 +130,8 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -4002,7 +4009,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr # -@@ -223,14 +225,15 @@ +@@ -203,6 +205,7 @@ + /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +@@ -223,14 +226,15 @@ /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -4020,7 +4035,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) -@@ -293,3 +296,8 @@ +@@ -293,3 +297,8 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -7478,7 +7493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_user(xguest_u, user, xguest_r, s0, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.2/policy/modules/services/afs.fc --- nsaserefpolicy/policy/modules/services/afs.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/afs.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/afs.fc 2009-01-16 16:06:26.000000000 -0500 @@ -1,3 +1,6 @@ +/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_script_exec_t,s0) +/etc/rc\.d/init\.d/afs -- gen_context(system_u:object_r:afs_script_exec_t,s0) @@ -7502,7 +7517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.6.2/policy/modules/services/afs.if --- nsaserefpolicy/policy/modules/services/afs.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/afs.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/afs.if 2009-01-16 16:06:26.000000000 -0500 @@ -1 +1,110 @@ ## Andrew Filesystem server + @@ -7616,7 +7631,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.2/policy/modules/services/afs.te --- nsaserefpolicy/policy/modules/services/afs.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/afs.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/afs.te 2009-01-16 16:06:26.000000000 -0500 @@ -6,6 +6,16 @@ # Declarations # @@ -7683,7 +7698,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive afs_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.2/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/apache.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/apache.fc 2009-01-16 16:06:26.000000000 -0500 @@ -1,12 +1,13 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -7768,7 +7783,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.2/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/apache.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/apache.if 2009-01-16 16:06:26.000000000 -0500 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -8302,7 +8317,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.2/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/apache.te 2009-01-13 09:27:31.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/apache.te 2009-01-16 16:06:26.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -8975,7 +8990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.2/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/automount.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/automount.te 2009-01-16 16:06:26.000000000 -0500 @@ -71,6 +71,7 @@ files_mounton_all_mountpoints(automount_t) files_mount_all_file_type_fs(automount_t) @@ -9011,7 +9026,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.6.2/policy/modules/services/avahi.if --- nsaserefpolicy/policy/modules/services/avahi.if 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/avahi.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/avahi.if 2009-01-16 16:06:26.000000000 -0500 @@ -21,6 +21,25 @@ ######################################## @@ -9065,7 +9080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.2/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/avahi.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/avahi.te 2009-01-16 16:06:26.000000000 -0500 @@ -33,6 +33,7 @@ allow avahi_t self:tcp_socket create_stream_socket_perms; allow avahi_t self:udp_socket create_socket_perms; @@ -9084,7 +9099,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.2/policy/modules/services/bind.fc --- nsaserefpolicy/policy/modules/services/bind.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/bind.fc 2009-01-07 15:44:12.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/bind.fc 2009-01-16 16:06:26.000000000 -0500 @@ -1,17 +1,22 @@ /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) @@ -9118,7 +9133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.2/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/bind.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/bind.if 2009-01-16 16:06:26.000000000 -0500 @@ -38,6 +38,42 @@ ######################################## @@ -9217,7 +9232,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.6.2/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/bind.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/bind.te 2009-01-16 16:06:26.000000000 -0500 @@ -169,7 +169,7 @@ ') @@ -9229,7 +9244,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.6.2/policy/modules/services/bluetooth.fc --- nsaserefpolicy/policy/modules/services/bluetooth.fc 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/bluetooth.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/bluetooth.fc 2009-01-16 16:06:26.000000000 -0500 @@ -15,6 +15,7 @@ /usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) @@ -9240,7 +9255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.6.2/policy/modules/services/bluetooth.if --- nsaserefpolicy/policy/modules/services/bluetooth.if 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/bluetooth.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/bluetooth.if 2009-01-16 16:06:26.000000000 -0500 @@ -173,7 +173,7 @@ interface(`bluetooth_admin',` gen_require(` @@ -9262,7 +9277,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.2/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/bluetooth.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/bluetooth.te 2009-01-16 16:06:26.000000000 -0500 @@ -147,10 +147,10 @@ optional_policy(` cups_dbus_chat(bluetooth_t) @@ -9278,7 +9293,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.2/policy/modules/services/certmaster.fc --- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/certmaster.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/certmaster.fc 2009-01-16 16:06:26.000000000 -0500 @@ -0,0 +1,9 @@ + +/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) @@ -9291,7 +9306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.6.2/policy/modules/services/certmaster.if --- nsaserefpolicy/policy/modules/services/certmaster.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/certmaster.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/certmaster.if 2009-01-16 16:06:26.000000000 -0500 @@ -0,0 +1,123 @@ +## policy for certmaster + @@ -9418,7 +9433,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.2/policy/modules/services/certmaster.te --- nsaserefpolicy/policy/modules/services/certmaster.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/certmaster.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/certmaster.te 2009-01-16 16:06:26.000000000 -0500 @@ -0,0 +1,79 @@ +policy_module(certmaster,1.0.0) + @@ -9501,7 +9516,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive certmaster_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.6.2/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/clamav.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/clamav.fc 2009-01-16 16:06:26.000000000 -0500 @@ -1,20 +1,22 @@ /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) +/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) @@ -9532,7 +9547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.6.2/policy/modules/services/clamav.if --- nsaserefpolicy/policy/modules/services/clamav.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/clamav.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/clamav.if 2009-01-16 16:06:26.000000000 -0500 @@ -38,6 +38,27 @@ ######################################## @@ -9651,7 +9666,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.2/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/clamav.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/clamav.te 2009-01-16 16:06:26.000000000 -0500 @@ -13,7 +13,10 @@ # configuration files @@ -9743,7 +9758,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.6.2/policy/modules/services/consolekit.fc --- nsaserefpolicy/policy/modules/services/consolekit.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/consolekit.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/consolekit.fc 2009-01-16 16:06:26.000000000 -0500 @@ -1,3 +1,6 @@ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) @@ -9753,7 +9768,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.2/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/consolekit.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/consolekit.if 2009-01-16 16:06:26.000000000 -0500 @@ -38,3 +38,24 @@ allow $1 consolekit_t:dbus send_msg; allow consolekit_t $1:dbus send_msg; @@ -9781,7 +9796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.2/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/consolekit.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/consolekit.te 2009-01-16 16:06:26.000000000 -0500 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -9864,7 +9879,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` + polkit_domtrans_auth(consolekit_t) -+ polkit_read_lib(consolekit_t) ++ polkit_read_reload(consolekit_t) +') + +optional_policy(` @@ -9891,7 +9906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.2/policy/modules/services/courier.te --- nsaserefpolicy/policy/modules/services/courier.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/courier.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/courier.te 2009-01-16 16:06:26.000000000 -0500 @@ -10,6 +10,7 @@ type courier_etc_t; @@ -9902,7 +9917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.2/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/cron.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/cron.fc 2009-01-16 16:06:26.000000000 -0500 @@ -17,9 +17,9 @@ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -9916,7 +9931,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) -@@ -41,7 +41,12 @@ +@@ -41,7 +41,11 @@ #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) /var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) @@ -9925,14 +9940,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) -+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_cronjob_var_lib_t,s0) + +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) + +/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.2/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/cron.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/cron.if 2009-01-16 16:06:26.000000000 -0500 @@ -12,6 +12,10 @@ ## # @@ -10029,7 +10043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -506,3 +541,83 @@ +@@ -506,3 +541,82 @@ dontaudit $1 system_cronjob_tmp_t:file append; ') @@ -10110,12 +10124,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + type crond_var_run_t; + ') + -+ + manage_files_pattern($1, crond_var_run_t, crond_var_run_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.2/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/cron.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/cron.te 2009-01-16 16:06:26.000000000 -0500 @@ -38,6 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -10373,7 +10386,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cronjob_t self:unix_stream_socket create_stream_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.2/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/cups.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/cups.fc 2009-01-16 16:06:26.000000000 -0500 @@ -5,27 +5,38 @@ /etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -10449,7 +10462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.6.2/policy/modules/services/cups.if --- nsaserefpolicy/policy/modules/services/cups.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/cups.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/cups.if 2009-01-16 16:06:26.000000000 -0500 @@ -20,6 +20,30 @@ ######################################## @@ -10576,7 +10589,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.2/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/cups.te 2009-01-12 11:25:36.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/cups.te 2009-01-16 16:06:26.000000000 -0500 @@ -20,9 +20,18 @@ type cupsd_etc_t; files_config_file(cupsd_etc_t) @@ -10983,7 +10996,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.2/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2008-11-11 16:13:45.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/cvs.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/cvs.te 2009-01-16 16:06:26.000000000 -0500 @@ -112,4 +112,5 @@ read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) @@ -10992,7 +11005,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.6.2/policy/modules/services/cyphesis.fc --- nsaserefpolicy/policy/modules/services/cyphesis.fc 2008-09-03 11:05:02.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/cyphesis.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/cyphesis.fc 2009-01-16 16:06:26.000000000 -0500 @@ -1 +1,6 @@ /usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0) + @@ -11002,7 +11015,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.6.2/policy/modules/services/dbus.fc --- nsaserefpolicy/policy/modules/services/dbus.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/dbus.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/dbus.fc 2009-01-16 16:06:26.000000000 -0500 @@ -4,6 +4,9 @@ /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) @@ -11015,7 +11028,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.2/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/dbus.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/dbus.if 2009-01-16 16:06:26.000000000 -0500 @@ -44,6 +44,7 @@ attribute session_bus_type; @@ -11193,7 +11206,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.2/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/dbus.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/dbus.te 2009-01-16 16:06:26.000000000 -0500 @@ -9,14 +9,15 @@ # # Delcarations @@ -11321,7 +11334,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.2/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/dcc.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/dcc.te 2009-01-16 16:06:26.000000000 -0500 @@ -137,6 +137,7 @@ corenet_all_recvfrom_unlabeled(dcc_client_t) @@ -11332,7 +11345,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_udp_sendrecv_all_ports(dcc_client_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.2/policy/modules/services/dhcp.if --- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/dhcp.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/dhcp.if 2009-01-16 16:06:26.000000000 -0500 @@ -22,6 +22,25 @@ ######################################## @@ -11361,7 +11374,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.2/policy/modules/services/dnsmasq.if --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-11-18 18:57:21.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/dnsmasq.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/dnsmasq.if 2009-01-16 16:06:26.000000000 -0500 @@ -22,6 +22,25 @@ ######################################## @@ -11462,7 +11475,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.2/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/dnsmasq.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/dnsmasq.te 2009-01-16 16:06:26.000000000 -0500 @@ -69,21 +69,22 @@ # allow access to dnsmasq.conf @@ -11491,7 +11504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.2/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/dovecot.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/dovecot.fc 2009-01-16 16:06:26.000000000 -0500 @@ -6,6 +6,7 @@ /etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) @@ -11527,7 +11540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.6.2/policy/modules/services/dovecot.if --- nsaserefpolicy/policy/modules/services/dovecot.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/dovecot.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/dovecot.if 2009-01-16 16:06:26.000000000 -0500 @@ -21,7 +21,46 @@ ######################################## @@ -11639,7 +11652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.2/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/dovecot.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/dovecot.te 2009-01-16 16:06:26.000000000 -0500 @@ -15,12 +15,21 @@ domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) role system_r types dovecot_auth_t; @@ -11820,7 +11833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.6.2/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/exim.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/exim.if 2009-01-16 16:06:26.000000000 -0500 @@ -97,6 +97,26 @@ ######################################## @@ -11874,7 +11887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.2/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/exim.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/exim.te 2009-01-16 16:06:26.000000000 -0500 @@ -21,9 +21,20 @@ ## gen_tunable(exim_manage_user_files, false) @@ -12031,7 +12044,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.2/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/ftp.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/ftp.te 2009-01-16 16:06:27.000000000 -0500 @@ -160,6 +160,7 @@ fs_search_auto_mountpoints(ftpd_t) @@ -12079,14 +12092,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.2/policy/modules/services/gnomeclock.fc --- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/gnomeclock.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/gnomeclock.fc 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,3 @@ + +/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.2/policy/modules/services/gnomeclock.if --- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/gnomeclock.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/gnomeclock.if 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,69 @@ + +## policy for gnomeclock @@ -12159,7 +12172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.2/policy/modules/services/gnomeclock.te --- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/gnomeclock.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/gnomeclock.te 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,50 @@ +policy_module(gnomeclock, 1.0.0) +######################################## @@ -12208,12 +12221,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + polkit_domtrans_auth(gnomeclock_t) -+ polkit_read_lib(gnomeclock_t) ++ polkit_read_reload(gnomeclock_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.2/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/hal.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/hal.fc 2009-01-16 16:06:27.000000000 -0500 @@ -5,6 +5,7 @@ /usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0) @@ -12224,7 +12237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.2/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/hal.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/hal.if 2009-01-16 16:06:27.000000000 -0500 @@ -51,10 +51,7 @@ type hald_t; ') @@ -12239,7 +12252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.2/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/hal.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/hal.te 2009-01-16 16:06:27.000000000 -0500 @@ -49,6 +49,15 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -12287,7 +12300,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` + polkit_domtrans_auth(hald_t) + polkit_domtrans_resolve(hald_t) -+ polkit_read_lib(hald_t) ++ polkit_read_reload(hald_t) +') + +optional_policy(` @@ -12335,7 +12348,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + polkit_domtrans_auth(hald_acl_t) -+ polkit_read_lib(hald_acl_t) ++ polkit_read_reload(hald_acl_t) +') + ######################################## @@ -12400,7 +12413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive hald_dccm_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.fc serefpolicy-3.6.2/policy/modules/services/ifplugd.fc --- nsaserefpolicy/policy/modules/services/ifplugd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/ifplugd.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/ifplugd.fc 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,9 @@ + +/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0) @@ -12413,7 +12426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.if serefpolicy-3.6.2/policy/modules/services/ifplugd.if --- nsaserefpolicy/policy/modules/services/ifplugd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/ifplugd.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/ifplugd.if 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,194 @@ +## policy for ifplugd + @@ -12611,7 +12624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.te serefpolicy-3.6.2/policy/modules/services/ifplugd.te --- nsaserefpolicy/policy/modules/services/ifplugd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/ifplugd.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/ifplugd.te 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,89 @@ +policy_module(ifplugd,1.0.0) + @@ -12704,7 +12717,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.6.2/policy/modules/services/kerberos.fc --- nsaserefpolicy/policy/modules/services/kerberos.fc 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/kerberos.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/kerberos.fc 2009-01-16 16:06:27.000000000 -0500 @@ -21,6 +21,7 @@ /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) @@ -12715,7 +12728,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.2/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/kerberos.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/kerberos.te 2009-01-16 16:06:27.000000000 -0500 @@ -290,6 +290,7 @@ corenet_tcp_sendrecv_all_nodes(kpropd_t) corenet_tcp_sendrecv_all_ports(kpropd_t) @@ -12726,7 +12739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.2/policy/modules/services/kerneloops.if --- nsaserefpolicy/policy/modules/services/kerneloops.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/kerneloops.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/kerneloops.if 2009-01-16 16:06:27.000000000 -0500 @@ -63,6 +63,25 @@ ######################################## @@ -12771,7 +12784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.2/policy/modules/services/kerneloops.te --- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/kerneloops.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/kerneloops.te 2009-01-16 16:06:27.000000000 -0500 @@ -13,6 +13,9 @@ type kerneloops_initrc_exec_t; init_script_file(kerneloops_initrc_exec_t) @@ -12794,7 +12807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Init script handling diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.6.2/policy/modules/services/ldap.te --- nsaserefpolicy/policy/modules/services/ldap.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/ldap.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/ldap.te 2009-01-16 16:06:27.000000000 -0500 @@ -117,7 +117,11 @@ userdom_dontaudit_search_user_home_dirs(slapd_t) @@ -12810,7 +12823,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.2/policy/modules/services/mailman.fc --- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/mailman.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/mailman.fc 2009-01-16 16:06:27.000000000 -0500 @@ -31,3 +31,4 @@ /var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) @@ -12818,7 +12831,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.2/policy/modules/services/mailman.if --- nsaserefpolicy/policy/modules/services/mailman.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/mailman.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/mailman.if 2009-01-16 16:06:27.000000000 -0500 @@ -31,6 +31,12 @@ allow mailman_$1_t self:tcp_socket create_stream_socket_perms; allow mailman_$1_t self:udp_socket create_socket_perms; @@ -12868,7 +12881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.2/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/mailman.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/mailman.te 2009-01-16 16:06:27.000000000 -0500 @@ -53,10 +53,8 @@ apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) @@ -12929,13 +12942,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(mailman_queue_t, mailman_queue_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.6.2/policy/modules/services/mailscanner.fc --- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/mailscanner.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/mailscanner.fc 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,2 @@ +/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.6.2/policy/modules/services/mailscanner.if --- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/mailscanner.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/mailscanner.if 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,59 @@ +## Anti-Virus and Anti-Spam Filter + @@ -12998,7 +13011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.6.2/policy/modules/services/mailscanner.te --- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/mailscanner.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/mailscanner.te 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,5 @@ + +policy_module(mailscanner, 1.0.0) @@ -13007,7 +13020,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_type(mailscanner_spool_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.2/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/mta.fc 2009-01-08 13:25:41.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/mta.fc 2009-01-16 16:06:27.000000000 -0500 @@ -1,4 +1,4 @@ -/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -13038,7 +13051,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.2/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/mta.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/mta.if 2009-01-16 16:06:27.000000000 -0500 @@ -130,6 +130,15 @@ sendmail_create_log($1_mail_t) ') @@ -13077,6 +13090,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') +@@ -591,8 +603,8 @@ + + files_search_spool($1) + allow $1 mail_spool_t:dir list_dir_perms; +- allow $1 mail_spool_t:lnk_file read; +- allow $1 mail_spool_t:file getattr; ++ getattr_files_pattern($1, mail_spool_t, mail_spool_t) ++ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) + ') + + ######################################## @@ -612,7 +624,7 @@ ') @@ -13097,7 +13121,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.2/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/mta.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/mta.te 2009-01-16 16:06:27.000000000 -0500 @@ -47,34 +47,48 @@ # @@ -13241,7 +13265,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # User send mail local policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.2/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/munin.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/munin.fc 2009-01-16 16:06:27.000000000 -0500 @@ -1,4 +1,5 @@ /etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) +/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) @@ -13261,7 +13285,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.6.2/policy/modules/services/munin.if --- nsaserefpolicy/policy/modules/services/munin.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/munin.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/munin.if 2009-01-16 16:06:27.000000000 -0500 @@ -80,3 +80,76 @@ dontaudit $1 munin_var_lib_t:dir search_dir_perms; @@ -13341,7 +13365,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.2/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/munin.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/munin.te 2009-01-16 16:06:27.000000000 -0500 @@ -13,6 +13,9 @@ type munin_etc_t alias lrrd_etc_t; files_config_file(munin_etc_t) @@ -13478,7 +13502,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.2/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/nagios.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/nagios.fc 2009-01-16 16:06:27.000000000 -0500 @@ -1,16 +1,19 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) @@ -13505,7 +13529,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.2/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/nagios.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/nagios.if 2009-01-16 16:06:27.000000000 -0500 @@ -44,7 +44,7 @@ ######################################## @@ -13627,7 +13651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.2/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/nagios.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/nagios.te 2009-01-16 16:06:27.000000000 -0500 @@ -10,13 +10,12 @@ type nagios_exec_t; init_daemon_domain(nagios_t, nagios_exec_t) @@ -13725,7 +13749,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.2/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/networkmanager.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/networkmanager.fc 2009-01-16 16:06:27.000000000 -0500 @@ -1,8 +1,12 @@ +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + @@ -13746,7 +13770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.2/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/networkmanager.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/networkmanager.if 2009-01-16 16:06:27.000000000 -0500 @@ -118,6 +118,24 @@ ######################################## @@ -13774,7 +13798,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.2/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/networkmanager.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/networkmanager.te 2009-01-16 16:06:27.000000000 -0500 @@ -33,9 +33,9 @@ # networkmanager will ptrace itself if gdb is installed @@ -13948,7 +13972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + polkit_domtrans_auth(NetworkManager_t) -+ polkit_read_lib(NetworkManager_t) ++ polkit_read_reload(NetworkManager_t) ') optional_policy(` @@ -13980,7 +14004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.2/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/nis.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/nis.fc 2009-01-16 16:06:27.000000000 -0500 @@ -1,9 +1,13 @@ - +/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) @@ -13998,7 +14022,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.2/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/nis.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/nis.if 2009-01-16 16:06:27.000000000 -0500 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -14152,7 +14176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.2/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/nis.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/nis.te 2009-01-16 16:06:27.000000000 -0500 @@ -13,6 +13,9 @@ type ypbind_exec_t; init_daemon_domain(ypbind_t, ypbind_exec_t) @@ -14229,7 +14253,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_all_ports(ypxfr_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.6.2/policy/modules/services/nscd.fc --- nsaserefpolicy/policy/modules/services/nscd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/nscd.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/nscd.fc 2009-01-16 16:06:27.000000000 -0500 @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) @@ -14237,7 +14261,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.2/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/nscd.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/nscd.if 2009-01-16 16:06:27.000000000 -0500 @@ -58,6 +58,42 @@ ######################################## @@ -14362,7 +14386,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.2/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/nscd.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/nscd.te 2009-01-16 16:06:27.000000000 -0500 @@ -20,6 +20,9 @@ type nscd_exec_t; init_daemon_domain(nscd_t, nscd_exec_t) @@ -14461,7 +14485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.2/policy/modules/services/ntp.if --- nsaserefpolicy/policy/modules/services/ntp.if 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/ntp.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/ntp.if 2009-01-16 16:06:27.000000000 -0500 @@ -56,6 +56,24 @@ ######################################## @@ -14489,8 +14513,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.2/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/ntp.te 2009-01-05 17:54:59.000000000 -0500 -@@ -42,6 +42,7 @@ ++++ serefpolicy-3.6.2/policy/modules/services/ntp.te 2009-01-16 16:06:27.000000000 -0500 +@@ -38,10 +38,11 @@ + + # sys_resource and setrlimit is for locking memory + # ntpdate wants sys_nice +-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource }; ++allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; allow ntpd_t self:fifo_file rw_fifo_file_perms; @@ -14498,7 +14527,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow ntpd_t self:unix_dgram_socket create_socket_perms; allow ntpd_t self:unix_stream_socket create_socket_perms; allow ntpd_t self:tcp_socket create_stream_socket_perms; -@@ -90,6 +91,8 @@ +@@ -52,6 +53,7 @@ + can_exec(ntpd_t,ntpd_exec_t) + + read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) ++read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) + + allow ntpd_t ntpd_log_t:dir setattr; + manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t) +@@ -90,6 +92,8 @@ fs_getattr_all_fs(ntpd_t) fs_search_auto_mountpoints(ntpd_t) @@ -14509,7 +14546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.2/policy/modules/services/nx.te --- nsaserefpolicy/policy/modules/services/nx.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/nx.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/nx.te 2009-01-16 16:06:27.000000000 -0500 @@ -25,6 +25,9 @@ type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) @@ -14532,7 +14569,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.6.2/policy/modules/services/oddjob.fc --- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/oddjob.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/oddjob.fc 2009-01-16 16:06:27.000000000 -0500 @@ -1,4 +1,4 @@ -/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) @@ -14541,7 +14578,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.2/policy/modules/services/oddjob.if --- nsaserefpolicy/policy/modules/services/oddjob.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/oddjob.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/oddjob.if 2009-01-16 16:06:27.000000000 -0500 @@ -44,6 +44,7 @@ ') @@ -14581,7 +14618,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.6.2/policy/modules/services/oddjob.te --- nsaserefpolicy/policy/modules/services/oddjob.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/oddjob.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/oddjob.te 2009-01-16 16:06:27.000000000 -0500 @@ -10,14 +10,21 @@ type oddjob_exec_t; domain_type(oddjob_t) @@ -14640,7 +14677,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.6.2/policy/modules/services/openvpn.fc --- nsaserefpolicy/policy/modules/services/openvpn.fc 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/openvpn.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/openvpn.fc 2009-01-16 16:06:27.000000000 -0500 @@ -2,6 +2,7 @@ # /etc # @@ -14651,7 +14688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-3.6.2/policy/modules/services/openvpn.if --- nsaserefpolicy/policy/modules/services/openvpn.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/openvpn.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/openvpn.if 2009-01-16 16:06:27.000000000 -0500 @@ -46,6 +46,24 @@ ######################################## @@ -14704,7 +14741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.2/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/openvpn.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/openvpn.te 2009-01-16 16:06:27.000000000 -0500 @@ -22,6 +22,9 @@ type openvpn_etc_t; files_config_file(openvpn_etc_t) @@ -14748,7 +14785,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.6.2/policy/modules/services/pads.fc --- nsaserefpolicy/policy/modules/services/pads.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/pads.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/pads.fc 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,12 @@ + +/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0) @@ -14764,7 +14801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.6.2/policy/modules/services/pads.if --- nsaserefpolicy/policy/modules/services/pads.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/pads.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/pads.if 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,10 @@ +## SELinux policy for PADS daemon. +## @@ -14778,7 +14815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.6.2/policy/modules/services/pads.te --- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/pads.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/pads.te 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,65 @@ + +policy_module(pads, 0.0.1) @@ -14847,7 +14884,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.2/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2008-11-11 16:13:45.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/pcscd.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/pcscd.te 2009-01-16 16:06:27.000000000 -0500 @@ -57,6 +57,14 @@ sysnet_dns_name_resolve(pcscd_t) @@ -14865,7 +14902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol openct_signull(pcscd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.2/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/pegasus.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/pegasus.te 2009-01-16 16:06:27.000000000 -0500 @@ -30,7 +30,7 @@ # Local policy # @@ -14939,7 +14976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.fc serefpolicy-3.6.2/policy/modules/services/pingd.fc --- nsaserefpolicy/policy/modules/services/pingd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/pingd.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/pingd.fc 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,11 @@ + +/etc/pingd.conf -- gen_context(system_u:object_r:pingd_etc_t,s0) @@ -14954,7 +14991,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.if serefpolicy-3.6.2/policy/modules/services/pingd.if --- nsaserefpolicy/policy/modules/services/pingd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/pingd.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/pingd.if 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,99 @@ +## policy for pingd + @@ -15057,7 +15094,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.te serefpolicy-3.6.2/policy/modules/services/pingd.te --- nsaserefpolicy/policy/modules/services/pingd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/pingd.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/pingd.te 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,54 @@ +policy_module(pingd,1.0.0) + @@ -15115,7 +15152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.fc serefpolicy-3.6.2/policy/modules/services/pki.fc --- nsaserefpolicy/policy/modules/services/pki.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/pki.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/pki.fc 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,46 @@ + +/etc/rc\.d/init\.d/pki-ca -- gen_context(system_u:object_r:pki_ca_script_exec_t,s0) @@ -15165,7 +15202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/pki-tps\.pid -- gen_context(system_u:object_r:pki_tks_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.if serefpolicy-3.6.2/policy/modules/services/pki.if --- nsaserefpolicy/policy/modules/services/pki.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/pki.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/pki.if 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,643 @@ + +## policy for pki @@ -15812,7 +15849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.te serefpolicy-3.6.2/policy/modules/services/pki.te --- nsaserefpolicy/policy/modules/services/pki.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/pki.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/pki.te 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,91 @@ +policy_module(pki,1.0.0) + @@ -15907,8 +15944,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.2/policy/modules/services/polkit.fc --- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/polkit.fc 2009-01-05 17:54:59.000000000 -0500 -@@ -0,0 +1,9 @@ ++++ serefpolicy-3.6.2/policy/modules/services/polkit.fc 2009-01-16 16:06:27.000000000 -0500 +@@ -0,0 +1,11 @@ + +/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) +/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0) @@ -15918,10 +15955,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) +/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0) +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) ++ ++/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.2/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/polkit.if 2009-01-05 17:54:59.000000000 -0500 -@@ -0,0 +1,202 @@ ++++ serefpolicy-3.6.2/policy/modules/services/polkit.if 2009-01-16 16:07:30.000000000 -0500 +@@ -0,0 +1,240 @@ + +## policy for polkit_auth + @@ -15987,6 +16026,44 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## read polkit reload files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`polkit_read_reload',` ++ gen_require(` ++ type polkit_reload_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, polkit_reload_t, polkit_reload_t) ++') ++ ++######################################## ++## ++## rw polkit reload files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`polkit_rw_reload',` ++ gen_require(` ++ type polkit_reload_t; ++ ') ++ ++ files_search_var_lib($1) ++ rw_files_pattern($1, polkit_reload_t, polkit_reload_t) ++') ++ ++######################################## ++## +## Execute a domain transition to run polkit_grant. +## +## @@ -16101,7 +16178,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +template(`polkit_role',` + polkit_run_auth($2, $1) + polkit_run_grant($2, $1) -+ polkit_read_lib($2) ++ polkit_read_reload($2) +') + +######################################## @@ -16126,8 +16203,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.2/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/polkit.te 2009-01-05 17:54:59.000000000 -0500 -@@ -0,0 +1,229 @@ ++++ serefpolicy-3.6.2/policy/modules/services/polkit.te 2009-01-16 16:06:27.000000000 -0500 +@@ -0,0 +1,237 @@ +policy_module(polkit_auth, 1.0.0) + +######################################## @@ -16151,6 +16228,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type polkit_auth_exec_t; +init_daemon_domain(polkit_auth_t, polkit_auth_exec_t) + ++type polkit_reload_t; ++files_type(polkit_reload_t) ++ +type polkit_var_lib_t; +files_type(polkit_var_lib_t) + @@ -16192,6 +16272,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +manage_files_pattern(polkit_t, polkit_var_lib_t, polkit_var_lib_t) + ++rw_files_pattern(polkit_t, polkit_reload_t, polkit_reload_t) ++ +# pid file +manage_dirs_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t) +manage_files_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t) @@ -16234,6 +16316,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +logging_send_syslog_msg(polkit_auth_t) + +manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t) ++rw_files_pattern(polkit_auth_t, polkit_reload_t, polkit_reload_t) + +# pid file +manage_dirs_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t) @@ -16296,6 +16379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_files_pattern(polkit_grant_t, polkit_var_run_t, polkit_var_run_t) + +manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t) ++rw_files_pattern(polkit_grant_t, polkit_reload_t, polkit_reload_t) +userdom_read_all_users_state(polkit_grant_t) + +optional_policy(` @@ -16322,6 +16406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow polkit_resolve_t self:unix_stream_socket create_stream_socket_perms; + +read_files_pattern(polkit_resolve_t, polkit_var_lib_t, polkit_var_lib_t) ++read_files_pattern(polkit_resolve_t, polkit_reload_t, polkit_reload_t) + +can_exec(polkit_resolve_t, polkit_resolve_exec_t) +corecmd_search_bin(polkit_resolve_t) @@ -16359,7 +16444,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.6.2/policy/modules/services/portreserve.fc --- nsaserefpolicy/policy/modules/services/portreserve.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/portreserve.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/portreserve.fc 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,12 @@ +# portreserve executable will have: +# label: system_u:object_r:portreserve_exec_t @@ -16375,7 +16460,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.6.2/policy/modules/services/portreserve.if --- nsaserefpolicy/policy/modules/services/portreserve.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/portreserve.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/portreserve.if 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,66 @@ +## policy for portreserve + @@ -16445,7 +16530,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.6.2/policy/modules/services/portreserve.te --- nsaserefpolicy/policy/modules/services/portreserve.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/portreserve.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/portreserve.te 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,52 @@ +policy_module(portreserve,1.0.0) + @@ -16501,7 +16586,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +#domain_use_interactive_fds(portreserve_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.2/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/postfix.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/postfix.fc 2009-01-16 16:06:27.000000000 -0500 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -16517,7 +16602,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.2/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/postfix.if 2009-01-07 13:21:46.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/postfix.if 2009-01-16 16:06:27.000000000 -0500 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -16679,7 +16764,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.2/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/postfix.te 2009-01-07 13:20:40.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/postfix.te 2009-01-16 16:06:27.000000000 -0500 @@ -6,6 +6,15 @@ # Declarations # @@ -17006,7 +17091,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(postfix_virtual_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.2/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/postgresql.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/postgresql.fc 2009-01-16 16:06:27.000000000 -0500 @@ -2,6 +2,7 @@ # /etc # @@ -17017,7 +17102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /usr diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.2/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/postgresql.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/postgresql.if 2009-01-16 16:06:27.000000000 -0500 @@ -351,3 +351,46 @@ typeattribute $1 sepgsql_unconfined_type; @@ -17067,7 +17152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.2/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/postgresql.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/postgresql.te 2009-01-16 16:06:27.000000000 -0500 @@ -32,6 +32,9 @@ type postgresql_etc_t; files_config_file(postgresql_etc_t) @@ -17123,7 +17208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.2/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/ppp.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/ppp.fc 2009-01-16 16:06:27.000000000 -0500 @@ -1,7 +1,7 @@ # # /etc @@ -17146,7 +17231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /sbin diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.2/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/ppp.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/ppp.if 2009-01-16 16:06:27.000000000 -0500 @@ -58,6 +58,25 @@ ######################################## @@ -17249,7 +17334,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.2/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/ppp.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/ppp.te 2009-01-16 16:06:27.000000000 -0500 @@ -37,8 +37,8 @@ type pppd_etc_rw_t; files_type(pppd_etc_rw_t) @@ -17379,7 +17464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.6.2/policy/modules/services/prelude.fc --- nsaserefpolicy/policy/modules/services/prelude.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/prelude.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/prelude.fc 2009-01-16 16:06:27.000000000 -0500 @@ -1,3 +1,9 @@ +/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0) + @@ -17408,7 +17493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.6.2/policy/modules/services/prelude.if --- nsaserefpolicy/policy/modules/services/prelude.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/prelude.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/prelude.if 2009-01-16 16:06:27.000000000 -0500 @@ -6,7 +6,7 @@ ## ## @@ -17523,7 +17608,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.2/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2008-11-11 16:13:45.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/prelude.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/prelude.te 2009-01-16 16:06:27.000000000 -0500 @@ -13,25 +13,57 @@ type prelude_spool_t; files_type(prelude_spool_t) @@ -17792,7 +17877,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mysql_search_db(httpd_prewikka_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.2/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/procmail.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/procmail.te 2009-01-16 16:06:27.000000000 -0500 @@ -128,6 +128,10 @@ ') @@ -17814,7 +17899,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.2/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/pyzor.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/pyzor.fc 2009-01-16 16:06:27.000000000 -0500 @@ -1,6 +1,8 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) @@ -17826,7 +17911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.2/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/pyzor.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/pyzor.if 2009-01-16 16:06:27.000000000 -0500 @@ -88,3 +88,50 @@ corecmd_search_bin($1) can_exec($1, pyzor_exec_t) @@ -17880,7 +17965,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.2/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2008-11-11 16:13:45.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/pyzor.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/pyzor.te 2009-01-16 16:06:27.000000000 -0500 @@ -6,6 +6,38 @@ # Declarations # @@ -17939,7 +18024,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.2/policy/modules/services/radvd.te --- nsaserefpolicy/policy/modules/services/radvd.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/radvd.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/radvd.te 2009-01-16 16:06:27.000000000 -0500 @@ -22,7 +22,7 @@ # # Local policy @@ -17951,7 +18036,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow radvd_t self:unix_dgram_socket create_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.2/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/razor.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/razor.if 2009-01-16 16:06:27.000000000 -0500 @@ -157,3 +157,45 @@ domtrans_pattern($1, razor_exec_t, razor_t) @@ -18000,7 +18085,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.2/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2008-11-19 18:10:07.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/razor.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/razor.te 2009-01-16 16:06:27.000000000 -0500 @@ -6,6 +6,32 @@ # Declarations # @@ -18041,7 +18126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.2/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/ricci.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/ricci.te 2009-01-16 16:06:27.000000000 -0500 @@ -133,6 +133,8 @@ dev_read_urand(ricci_t) @@ -18148,7 +18233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ccs_read_config(ricci_modstorage_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.6.2/policy/modules/services/rlogin.te --- nsaserefpolicy/policy/modules/services/rlogin.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/rlogin.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/rlogin.te 2009-01-16 16:06:27.000000000 -0500 @@ -91,10 +91,22 @@ remotelogin_signal(rlogind_t) @@ -18176,7 +18261,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.6.2/policy/modules/services/rpc.fc --- nsaserefpolicy/policy/modules/services/rpc.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/rpc.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/rpc.fc 2009-01-16 16:06:27.000000000 -0500 @@ -13,6 +13,7 @@ # /usr # @@ -18187,7 +18272,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.2/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/rpc.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/rpc.if 2009-01-16 16:06:27.000000000 -0500 @@ -88,8 +88,11 @@ # bind to arbitary unused ports corenet_tcp_bind_generic_port($1_t) @@ -18251,7 +18336,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.2/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/rpc.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/rpc.te 2009-01-16 16:06:27.000000000 -0500 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) @@ -18305,7 +18390,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.6.2/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/rshd.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/rshd.te 2009-01-16 16:06:27.000000000 -0500 @@ -51,7 +51,7 @@ files_list_home(rshd_t) @@ -18315,9 +18400,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_login_pgm_domain(rshd_t) auth_write_login_records(rshd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.2/policy/modules/services/rsync.te +--- nsaserefpolicy/policy/modules/services/rsync.te 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/rsync.te 2009-01-16 16:06:27.000000000 -0500 +@@ -119,5 +119,8 @@ + + tunable_policy(`rsync_export_all_ro',` + fs_read_noxattr_fs_files(rsync_t) ++ auth_read_all_dirs_except_shadow(rsync_t) + auth_read_all_files_except_shadow(rsync_t) ++ auth_tunable_read_shadow(rsync_t) + ') ++auth_can_read_shadow_passwords(rsync_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.2/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/samba.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/samba.fc 2009-01-16 16:06:27.000000000 -0500 @@ -2,6 +2,9 @@ # # /etc @@ -18346,7 +18443,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.2/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/samba.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/samba.if 2009-01-16 16:06:27.000000000 -0500 @@ -4,6 +4,45 @@ ## from Windows NT servers. ## @@ -18746,7 +18843,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.2/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/samba.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/samba.te 2009-01-16 16:06:27.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -19154,7 +19251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow smbcontrol_t nmbd_var_run_t:file { read lock }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.2/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/sasl.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/sasl.te 2009-01-16 16:06:27.000000000 -0500 @@ -107,6 +107,10 @@ ') @@ -19168,7 +19265,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.2/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/sendmail.if 2009-01-13 09:34:43.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/sendmail.if 2009-01-16 16:06:27.000000000 -0500 @@ -149,3 +149,92 @@ logging_log_filetrans($1, sendmail_log_t, file) @@ -19264,7 +19361,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.2/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/sendmail.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/sendmail.te 2009-01-16 16:06:27.000000000 -0500 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -19434,7 +19531,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.2/policy/modules/services/setroubleshoot.fc --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/setroubleshoot.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/setroubleshoot.fc 2009-01-16 16:06:27.000000000 -0500 @@ -1,3 +1,5 @@ +/etc/rc\.d/init\.d/setroubleshoot -- gen_context(system_u:object_r:setroubleshoot_initrc_exec_t,s0) + @@ -19443,7 +19540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.2/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/setroubleshoot.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/setroubleshoot.if 2009-01-16 16:06:27.000000000 -0500 @@ -16,8 +16,8 @@ ') @@ -19455,7 +19552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -36,6 +36,48 @@ +@@ -36,6 +36,69 @@ type setroubleshootd_t, setroubleshoot_var_run_t; ') @@ -19466,6 +19563,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Send and receive messages from ++## setroubleshoot over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`setroubleshoot_dbus_chat',` ++ gen_require(` ++ type setroubleshootd_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 setroubleshootd_t:dbus send_msg; ++ allow setroubleshootd_t $1:dbus send_msg; ++') ++ ++######################################## ++## +## All of the rules required to administrate +## an setroubleshoot environment +## @@ -19507,7 +19625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.2/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/setroubleshoot.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/setroubleshoot.te 2009-01-16 16:06:27.000000000 -0500 @@ -11,6 +11,9 @@ domain_type(setroubleshootd_t) init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -19594,7 +19712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_use_script_fds(setroubleshootd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.2/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/smartmon.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/smartmon.te 2009-01-16 16:06:27.000000000 -0500 @@ -19,6 +19,10 @@ type fsdaemon_tmp_t; files_tmp_file(fsdaemon_tmp_t) @@ -19654,7 +19772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.6.2/policy/modules/services/snmp.fc --- nsaserefpolicy/policy/modules/services/snmp.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/snmp.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/snmp.fc 2009-01-16 16:06:27.000000000 -0500 @@ -20,5 +20,5 @@ /var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) @@ -19664,7 +19782,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.2/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/snmp.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/snmp.te 2009-01-16 16:06:27.000000000 -0500 @@ -71,6 +71,7 @@ corenet_tcp_bind_snmp_port(snmpd_t) corenet_udp_bind_snmp_port(snmpd_t) @@ -19675,7 +19793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_sysfs(snmpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.2/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/snort.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/snort.te 2009-01-16 16:06:27.000000000 -0500 @@ -56,6 +56,7 @@ files_pid_filetrans(snort_t, snort_var_run_t, file) @@ -19708,7 +19826,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.2/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-11-25 09:01:08.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/spamassassin.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/spamassassin.fc 2009-01-16 16:06:27.000000000 -0500 @@ -1,15 +1,24 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -19739,7 +19857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.2/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/spamassassin.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/spamassassin.if 2009-01-16 16:06:27.000000000 -0500 @@ -111,6 +111,7 @@ ') @@ -19828,7 +19946,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.2/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/spamassassin.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/spamassassin.te 2009-01-16 16:06:27.000000000 -0500 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -20088,7 +20206,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.6.2/policy/modules/services/squid.if --- nsaserefpolicy/policy/modules/services/squid.if 2008-11-11 16:13:45.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/squid.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/squid.if 2009-01-16 16:06:27.000000000 -0500 @@ -21,6 +21,25 @@ ######################################## @@ -20117,7 +20235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.2/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/squid.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/squid.te 2009-01-16 16:06:27.000000000 -0500 @@ -118,6 +118,8 @@ fs_getattr_all_fs(squid_t) @@ -20138,7 +20256,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.2/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/ssh.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/ssh.fc 2009-01-16 16:06:27.000000000 -0500 @@ -14,3 +14,5 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) @@ -20147,7 +20265,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.2/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/ssh.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/ssh.if 2009-01-16 16:06:27.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -20215,16 +20333,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand($1_ssh_t) -@@ -133,6 +133,8 @@ +@@ -132,6 +132,10 @@ + files_read_etc_runtime_files($1_ssh_t) files_read_etc_files($1_ssh_t) files_read_var_files($1_ssh_t) - -+ auth_use_nsswitch($1_ssh_t) ++ # Required for FreeNX ++ files_read_var_lib_symlinks($1_t) + ++ auth_use_nsswitch($1_ssh_t) + logging_send_syslog_msg($1_ssh_t) logging_read_generic_logs($1_ssh_t) - -@@ -140,9 +142,6 @@ +@@ -140,9 +144,6 @@ seutil_read_config($1_ssh_t) @@ -20234,7 +20354,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`read_default_t',` files_list_default($1_ssh_t) files_read_default_files($1_ssh_t) -@@ -154,14 +153,6 @@ +@@ -154,14 +155,6 @@ optional_policy(` kerberos_use($1_ssh_t) ') @@ -20249,7 +20369,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -194,13 +185,14 @@ +@@ -194,13 +187,14 @@ type $1_var_run_t; files_pid_file($1_var_run_t) @@ -20265,7 +20385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; term_create_pty($1_t,$1_devpts_t) -@@ -229,7 +221,12 @@ +@@ -229,7 +223,12 @@ corenet_udp_bind_all_nodes($1_t) corenet_tcp_bind_ssh_port($1_t) corenet_tcp_connect_all_ports($1_t) @@ -20278,7 +20398,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_dontaudit_getattr_all_fs($1_t) -@@ -254,9 +251,14 @@ +@@ -254,9 +253,14 @@ userdom_dontaudit_relabelfrom_user_ptys($1_t) userdom_search_user_home_dirs($1_t) @@ -20293,7 +20413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`use_samba_home_dirs',` -@@ -265,11 +267,7 @@ +@@ -265,11 +269,7 @@ optional_policy(` kerberos_use($1_t) @@ -20306,7 +20426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -611,3 +609,42 @@ +@@ -611,3 +611,42 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') @@ -20351,7 +20471,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.2/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/ssh.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/ssh.te 2009-01-16 16:06:27.000000000 -0500 @@ -75,7 +75,7 @@ ubac_constrained(ssh_tmpfs_t) @@ -20462,7 +20582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.6.2/policy/modules/services/stunnel.fc --- nsaserefpolicy/policy/modules/services/stunnel.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/stunnel.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/stunnel.fc 2009-01-16 16:06:27.000000000 -0500 @@ -2,5 +2,6 @@ /etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0) @@ -20472,7 +20592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.6.2/policy/modules/services/stunnel.te --- nsaserefpolicy/policy/modules/services/stunnel.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/stunnel.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/stunnel.te 2009-01-16 16:06:27.000000000 -0500 @@ -54,6 +54,8 @@ kernel_read_system_state(stunnel_t) kernel_read_network_state(stunnel_t) @@ -20492,7 +20612,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.2/policy/modules/services/sysstat.te --- nsaserefpolicy/policy/modules/services/sysstat.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/sysstat.te 2009-01-12 15:45:05.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/sysstat.te 2009-01-16 16:06:27.000000000 -0500 @@ -26,6 +26,7 @@ can_exec(sysstat_t, sysstat_exec_t) @@ -20503,7 +20623,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # get info from /proc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.6.2/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/telnet.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/telnet.te 2009-01-16 16:06:27.000000000 -0500 @@ -87,8 +87,8 @@ userdom_search_user_home_dirs(telnetd_t) @@ -20517,7 +20637,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.6.2/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/tor.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/tor.te 2009-01-16 16:06:27.000000000 -0500 @@ -34,7 +34,7 @@ # tor local policy # @@ -20529,7 +20649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow tor_t self:netlink_route_socket r_netlink_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.fc serefpolicy-3.6.2/policy/modules/services/ulogd.fc --- nsaserefpolicy/policy/modules/services/ulogd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/ulogd.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/ulogd.fc 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,10 @@ + +/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0) @@ -20543,7 +20663,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.6.2/policy/modules/services/ulogd.if --- nsaserefpolicy/policy/modules/services/ulogd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/ulogd.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/ulogd.if 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,127 @@ +## policy for ulogd + @@ -20674,7 +20794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.6.2/policy/modules/services/ulogd.te --- nsaserefpolicy/policy/modules/services/ulogd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/ulogd.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/ulogd.te 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,51 @@ +policy_module(ulogd,1.0.0) + @@ -20729,7 +20849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive ulogd_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.fc serefpolicy-3.6.2/policy/modules/services/uucp.fc --- nsaserefpolicy/policy/modules/services/uucp.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/uucp.fc 2009-01-13 09:34:09.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/uucp.fc 2009-01-16 16:06:27.000000000 -0500 @@ -7,3 +7,5 @@ /var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0) @@ -20738,7 +20858,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.2/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/uucp.te 2009-01-13 09:35:13.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/uucp.te 2009-01-16 16:06:27.000000000 -0500 @@ -10,6 +10,9 @@ inetd_tcp_service_domain(uucpd_t, uucpd_exec_t) role system_r types uucpd_t; @@ -20770,7 +20890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.2/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/virt.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/virt.te 2009-01-16 16:06:27.000000000 -0500 @@ -96,7 +96,7 @@ corenet_tcp_sendrecv_all_nodes(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) @@ -20812,7 +20932,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.2/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2008-08-25 09:12:31.000000000 -0400 -+++ serefpolicy-3.6.2/policy/modules/services/w3c.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/w3c.te 2009-01-16 16:06:27.000000000 -0500 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) @@ -20834,7 +20954,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.2/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/xserver.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/xserver.fc 2009-01-16 16:06:27.000000000 -0500 @@ -3,11 +3,14 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -20901,7 +21021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.2/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/xserver.if 2009-01-12 14:24:38.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/xserver.if 2009-01-16 16:06:27.000000000 -0500 @@ -156,7 +156,7 @@ allow $1 xserver_t:process signal; @@ -21309,7 +21429,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## display. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.2/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/xserver.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/xserver.te 2009-01-16 16:06:27.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -21680,7 +21800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` + polkit_domtrans_auth(xdm_t) -+ polkit_read_lib(xdm_t) ++ polkit_read_reload(xdm_t) +') + +# On crash gdm execs gdb to dump stack @@ -21849,13 +21969,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.6.2/policy/modules/services/zosremote.fc --- nsaserefpolicy/policy/modules/services/zosremote.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/zosremote.fc 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/zosremote.fc 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,2 @@ + +/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.6.2/policy/modules/services/zosremote.if --- nsaserefpolicy/policy/modules/services/zosremote.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/zosremote.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/zosremote.if 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,46 @@ +## policy for z/OS Remote-services Audit dispatcher plugin + @@ -21905,7 +22025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.te serefpolicy-3.6.2/policy/modules/services/zosremote.te --- nsaserefpolicy/policy/modules/services/zosremote.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/services/zosremote.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/services/zosremote.te 2009-01-16 16:06:27.000000000 -0500 @@ -0,0 +1,33 @@ +policy_module(zosremote,1.0.0) + @@ -21987,7 +22107,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.2/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/system/authlogin.if 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/system/authlogin.if 2009-01-16 10:23:40.000000000 -0500 @@ -43,6 +43,7 @@ interface(`auth_login_pgm_domain',` gen_require(` @@ -23439,7 +23559,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.2/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.2/policy/modules/system/logging.te 2009-01-05 17:54:59.000000000 -0500 ++++ serefpolicy-3.6.2/policy/modules/system/logging.te 2009-01-16 14:54:05.000000000 -0500 @@ -126,7 +126,7 @@ allow auditd_t self:process { signal_perms setpgid setsched }; allow auditd_t self:file rw_file_perms; @@ -23463,14 +23583,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # -allow audisp_t self:capability sys_nice; -+allow audisp_t self:capability { dac_override sys_nice }; - allow audisp_t self:process setsched; +-allow audisp_t self:process setsched; -allow audisp_t self:fifo_file rw_file_perms; ++allow audisp_t self:capability { dac_override sys_nice }; ++allow audisp_t self:process { signal_perms setsched }; +allow audisp_t self:fifo_file rw_fifo_file_perms; allow audisp_t self:unix_stream_socket create_stream_socket_perms; allow audisp_t self:unix_dgram_socket create_socket_perms; -@@ -231,9 +233,12 @@ +@@ -226,20 +228,32 @@ + manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) + files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) + +-corecmd_search_bin(audisp_t) ++corecmd_exec_bin(audisp_t) ++corecmd_exec_shell(audisp_t) + domain_use_interactive_fds(audisp_t) files_read_etc_files(audisp_t) @@ -23483,7 +23611,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(audisp_t) miscfiles_read_localization(audisp_t) -@@ -253,11 +258,16 @@ + + sysnet_dns_name_resolve(audisp_t) + ++optional_policy(` ++ dbus_system_bus_client(audisp_t) ++ ++ optional_policy(` ++ setroubleshoot_dbus_chat(audisp_t) ++ ') ++') ++ + ######################################## + # + # Audit remote logger local policy +@@ -253,11 +267,16 @@ corenet_tcp_sendrecv_all_nodes(audisp_remote_t) corenet_tcp_connect_audit_port(audisp_remote_t) corenet_sendrecv_audit_client_packets(audisp_remote_t) @@ -23500,7 +23642,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(audisp_remote_t) sysnet_dns_name_resolve(audisp_remote_t) -@@ -337,7 +347,7 @@ +@@ -337,7 +356,7 @@ allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; allow syslogd_t self:unix_dgram_socket sendto; diff --git a/selinux-policy.spec b/selinux-policy.spec index 3a4fea91..edec78ef 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.2 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -445,6 +445,9 @@ exit 0 %endif %changelog +* Thu Jan 15 2009 Dan Walsh 3.6.2-5 +- Define openoffice as an x_domain + * Mon Jan 12 2009 Dan Walsh 3.6.2-4 - Fixes for reading xserver_tmp_t