diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-08 14:42:10.000000000 +0100
@@ -96,6 +96,7 @@
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
+dev_getattr_all_chr_files(abrt_t)
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_memory_dev(abrt_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-01-06 15:16:37.000000000 +0100
@@ -16,6 +16,7 @@
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
+ type httpd_sys_content_t;
')
#This type is for webpages
type httpd_$1_content_t;
@@ -123,6 +124,8 @@
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+
+ allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
')
tunable_policy(`httpd_enable_cgi',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te 2010-01-06 13:06:31.000000000 +0100
@@ -31,7 +31,7 @@
#
allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
-allow apcupsd_t self:process signal;
+allow apcupsd_t self:process { signal signull };
allow apcupsd_t self:fifo_file rw_file_perms;
allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
allow apcupsd_t self:tcp_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2010-01-08 20:32:23.000000000 +0100
@@ -555,6 +555,7 @@
logging_send_syslog_msg(cupsd_lpd_t)
miscfiles_read_localization(cupsd_lpd_t)
+miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
cups_stream_connect(cupsd_lpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-01-08 14:24:25.000000000 +0100
@@ -276,7 +276,11 @@
mta_manage_spool(dovecot_deliver_t)
')
+
+
tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(dovecot_deliver_t)
+ fs_manage_nfs_dirs(dovecot_t)
fs_manage_nfs_files(dovecot_deliver_t)
fs_manage_nfs_symlinks(dovecot_deliver_t)
fs_manage_nfs_files(dovecot_t)
@@ -284,6 +288,8 @@
')
tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(dovecot_deliver_t)
+ fs_manage_cifs_dirs(dovecot_t)
fs_manage_cifs_files(dovecot_deliver_t)
fs_manage_cifs_symlinks(dovecot_deliver_t)
fs_manage_cifs_files(dovecot_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.32/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/fail2ban.if 2010-01-08 16:30:32.000000000 +0100
@@ -138,6 +138,24 @@
dontaudit $1 fail2ban_t:unix_stream_socket { read write };
')
+#######################################
+## <summary>
+## Read and write to an fail2ban unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fail2ban_rw_stream_sockets',`
+ gen_require(`
+ type fail2ban_t;
+ ')
+
+ allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl };
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-01-08 15:00:18.000000000 +0100
@@ -27,26 +27,59 @@
# check disk plugins
/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
# system plugins
-/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
# services plugins
/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-01-08 15:01:28.000000000 +0100
@@ -118,6 +118,10 @@
corenet_udp_sendrecv_all_ports(nagios_t)
corenet_tcp_connect_all_ports(nagios_t)
+# neede by rpcinfo
+corenet_dontaudit_tcp_bind_all_ports(nagios_t)
+corenet_dontaudit_udp_bind_all_ports(nagios_t)
+
dev_read_sysfs(nagios_t)
dev_read_urand(nagios_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-08 20:27:51.000000000 +0100
@@ -443,6 +443,7 @@
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
+ spamassassin_kill_client(postfix_pipe_t)
')
optional_policy(`
@@ -486,7 +487,7 @@
')
optional_policy(`
- sendmail_dontaudit_rw_unix_stream_sockets(postfix_postdrop_t)
+ sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
')
optional_policy(`
@@ -573,6 +574,8 @@
# Postfix smtp delivery local policy
#
+allow postfix_smtp_t self:capability { sys_chroot };
+
# connect to master process
stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-01-06 13:55:09.000000000 +0100
@@ -286,6 +286,8 @@
allow smbd_t winbind_t:process { signal signull };
+allow smbd_t swat_t:process signal;
+
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
kernel_read_network_state(smbd_t)
@@ -485,6 +487,8 @@
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+allow nmbd_t swat_t:process signal;
+
allow nmbd_t smbcontrol_t:process signal;
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
@@ -661,6 +665,7 @@
allow swat_t self:udp_socket create_socket_perms;
allow swat_t self:unix_stream_socket connectto;
+samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow swat_t nmbd_exec_t:file mmap_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2010-01-08 16:31:13.000000000 +0100
@@ -136,6 +136,8 @@
optional_policy(`
fail2ban_read_lib_files(sendmail_t)
+ fail2ban_rw_stream_sockets(sendmail_t)
+
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-01-06 15:41:37.000000000 +0100
@@ -27,7 +27,7 @@
#
allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
-allow snmpd_t self:process { signal_perms getsched setsched };
+allow snmpd_t self:process { signal signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
allow snmpd_t self:unix_dgram_socket create_socket_perms;
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.32/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if 2010-01-06 15:40:10.000000000 +0100
@@ -267,6 +267,24 @@
stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
')
+######################################
+## <summary>
+## Send kill signal to spamassassin client
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_kill_client',`
+ gen_require(`
+ type spamc_t;
+ ')
+
+ allow $1 spamc_t:process sigkill;
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-01-06 16:09:14.000000000 +0100
@@ -430,6 +430,8 @@
corenet_tcp_connect_virt_migration_port(virt_domain)
dev_read_sound(virt_domain)
+dev_read_rand(virt_domain)
+dev_read_urand(virt_domain)
dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-01-08 14:49:31.000000000 +0100
@@ -65,6 +65,8 @@
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -105,6 +107,7 @@
/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
@@ -116,6 +119,7 @@
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/slim\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-01-08 14:07:19.000000000 +0100
@@ -301,6 +301,8 @@
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
+allow xauth_t xserver_t:unix_stream_socket connectto;
+
domain_use_interactive_fds(xauth_t)
dev_rw_xserver_misc(xauth_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-08 20:06:50.000000000 +0100
@@ -245,6 +245,7 @@
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/lib(64)?/codecs/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -433,8 +434,13 @@
/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/libsybdb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Unify/SQLBase/libgptsblmsui11.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-06 11:05:51.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-08 20:32:11.000000000 +0100
@@ -618,3 +618,22 @@
manage_lnk_files_pattern($1, locale_t, locale_t)
')
+#######################################
+## <summary>
+## Set the attributes on a fonts cache directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_setattr_fonts_cache_dirs',`
+ gen_require(`
+ type fonts_cache_t;
+ ')
+
+ allow $1 fonts_cache_t:dir setattr;
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-01-06 11:05:51.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2010-01-08 16:35:49.000000000 +0100
@@ -21,6 +21,8 @@
allow $1 self:capability all_capabilities;
allow $1 self:fifo_file manage_fifo_file_perms;
+ allow $1 self:socket_class_set create_socket_perms;
+
# Transition to myself, to make get_ordered_context_list happy.
allow $1 self:process transition;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.32/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-01-06 11:05:51.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc 2010-01-07 16:46:35.000000000 +0100
@@ -6,4 +6,5 @@
/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2010-01-06 11:05:51.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-01-08 14:14:45.000000000 +0100
@@ -248,10 +248,11 @@
#
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+allow xenconsoled_t self:process setrlimit;
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
-allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
+allow xenconsoled_t xen_devpts_t:chr_file manage_term_perms;
# pid file
manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
@@ -268,6 +269,7 @@
domain_dontaudit_ptrace_all_domains(xenconsoled_t)
+files_read_etc_files(xenconsoled_t)
files_read_usr_files(xenconsoled_t)
fs_list_tmpfs(xenconsoled_t)
@@ -286,6 +288,10 @@
xen_manage_log(xenconsoled_t)
xen_stream_connect_xenstore(xenconsoled_t)
+optional_policy(`
+ ptchown_domtrans(xenconsoled_t)
+')
+
########################################
#
# Xen store local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-01-06 11:05:51.000000000 +0100
+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-01-08 20:35:13.000000000 +0100
@@ -310,7 +310,7 @@
#
define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }')
define(`rw_term_perms', `{ open rw_inherited_term_perms }')
-
+define(`manage_term_perms',`{ create open setattr rename link unlink rw_inherited_term_perms }')
#
# Sockets
#