diff --git a/config.tgz b/config.tgz
index 32fecce..658efa9 100644
Binary files a/config.tgz and b/config.tgz differ
diff --git a/customizable_types b/customizable_types
index dbe706b..04a57c2 100644
--- a/customizable_types
+++ b/customizable_types
@@ -1,3 +1,4 @@
+sandbox_file_t
svirt_image_t
virt_content_t
httpd_user_htaccess_t
diff --git a/modules-minimum.conf b/modules-minimum.conf
index 117ca3f..6e0a4f7 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -1239,6 +1239,13 @@ pyzor = module
#
qmail = module
+# Layer: services
+# Module: qpidd
+#
+# Policy for qpidd
+#
+qpidd = module
+
# Layer: admin
# Module: quota
#
diff --git a/modules-mls.conf b/modules-mls.conf
index 236334f..21af079 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -1169,7 +1169,6 @@ pulseaudio = module
#
pyzor = module
-
# Layer: services
# Module: qmail
#
@@ -1177,6 +1176,13 @@ pyzor = module
#
qmail = module
+# Layer: services
+# Module: qpidd
+#
+# Policy for qpidd
+#
+qpidd = module
+
# Layer: admin
# Module: quota
#
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 117ca3f..6e0a4f7 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1239,6 +1239,13 @@ pyzor = module
#
qmail = module
+# Layer: services
+# Module: qpidd
+#
+# Policy for qpidd
+#
+qpidd = module
+
# Layer: admin
# Module: quota
#
diff --git a/policy-F13.patch b/policy-F13.patch
index e2e0a54..1b4f8bb 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -48,6 +48,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+##
+gen_tunable(mmap_low_allowed, false)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.7.15/policy/mls
+--- nsaserefpolicy/policy/mls 2010-03-08 14:49:44.000000000 -0500
++++ serefpolicy-3.7.15/policy/mls 2010-03-19 11:53:50.000000000 -0400
+@@ -214,6 +214,7 @@
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
++ ( t2 == mlstrustedobject ) or
+ ( t1 == mlsnetwrite ));
+
+ # these access vectors have no MLS restrictions
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.15/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.15/policy/modules/admin/acct.te 2010-03-18 11:49:55.000000000 -0400
@@ -140,7 +151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.15/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/admin/logrotate.te 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/admin/logrotate.te 2010-03-22 12:01:37.000000000 -0400
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -220,7 +231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
')
optional_policy(`
-@@ -183,6 +202,15 @@
+@@ -183,6 +202,19 @@
')
optional_policy(`
@@ -233,10 +244,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
+')
+
+optional_policy(`
++ sssd_domtrans(logrotate_t)
++')
++
++optional_policy(`
slrnpull_manage_spool(logrotate_t)
')
-@@ -191,5 +219,9 @@
+@@ -191,5 +223,9 @@
')
optional_policy(`
@@ -374,7 +389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.15/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/admin/prelink.te 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/admin/prelink.te 2010-03-18 12:50:48.000000000 -0400
@@ -21,8 +21,21 @@
type prelink_tmp_t;
files_tmp_file(prelink_tmp_t)
@@ -439,7 +454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -99,5 +118,59 @@
+@@ -99,5 +118,58 @@
')
optional_policy(`
@@ -481,7 +496,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
+
+files_search_var_lib(prelink_cron_system_t)
+
-+init_chat(prelink_cron_system_t)
+init_exec(prelink_cron_system_t)
+
+kernel_read_system_state(prelink_cron_system_t)
@@ -512,7 +526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.t
dev_getattr_all_blk_files(quota_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.15/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/admin/readahead.te 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/admin/readahead.te 2010-03-23 07:59:53.000000000 -0400
@@ -52,6 +52,7 @@
files_list_non_security(readahead_t)
@@ -521,7 +535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe
files_create_boot_flag(readahead_t)
files_getattr_all_pipes(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
-@@ -61,6 +62,8 @@
+@@ -61,8 +62,11 @@
fs_search_auto_mountpoints(readahead_t)
fs_getattr_all_pipes(readahead_t)
fs_getattr_all_files(readahead_t)
@@ -529,7 +543,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe
+fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
++fs_dontaudit_read_tmpfs_blk_dev(readahead_t)
fs_dontaudit_search_ramfs(readahead_t)
+ fs_dontaudit_read_ramfs_pipes(readahead_t)
+ fs_dontaudit_read_ramfs_files(readahead_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.15/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.15/policy/modules/admin/rpm.fc 2010-03-18 11:49:55.000000000 -0400
@@ -1041,7 +1058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.15/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/admin/rpm.te 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/admin/rpm.te 2010-03-18 12:51:06.000000000 -0400
@@ -1,6 +1,8 @@
policy_module(rpm, 1.10.0)
@@ -1282,7 +1299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
+files_relabel_all_files(rpm_script_t)
init_domtrans_script(rpm_script_t)
-+init_chat(rpm_script_t)
++init_telinit(rpm_script_t)
libs_exec_ld_so(rpm_script_t)
libs_exec_lib_files(rpm_script_t)
@@ -1588,7 +1605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.15/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/admin/tmpreaper.te 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/admin/tmpreaper.te 2010-03-23 08:11:08.000000000 -0400
@@ -42,6 +42,7 @@
cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
@@ -1611,13 +1628,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
kismet_manage_log(tmpreaper_t)
')
-@@ -60,5 +68,15 @@
+@@ -60,5 +68,16 @@
')
optional_policy(`
+ sandbox_list(tmpreaper_t)
+ sandbox_delete_dirs(tmpreaper_t)
+ sandbox_delete_files(tmpreaper_t)
++ sandbox_setattr_dirs(tmpreaper_t)
+')
+
+optional_policy(`
@@ -4718,8 +4736,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.15/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/apps/sandbox.if 2010-03-18 11:49:55.000000000 -0400
-@@ -0,0 +1,250 @@
++++ serefpolicy-3.7.15/policy/modules/apps/sandbox.if 2010-03-23 08:12:43.000000000 -0400
+@@ -0,0 +1,269 @@
+
+## policy for sandbox
+
@@ -4919,7 +4937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+########################################
+##
-+## allow domain to delete sandbox files
++## Delete sandbox files
+##
+##
+##
@@ -4937,6 +4955,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+########################################
+##
++## Allow domain to set the attributes
++## of the sandbox directory.
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`sandbox_setattr_dirs',`
++ gen_require(`
++ attribute sandbox_file_type;
++ ')
++
++ allow $1 sandbox_file_type:dir setattr;
++')
++
++########################################
++##
+## allow domain to delete sandbox files
+##
+##
@@ -5508,7 +5545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.15/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/apps/slocate.te 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/apps/slocate.te 2010-03-18 12:03:23.000000000 -0400
@@ -30,6 +30,7 @@
manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
@@ -5517,8 +5554,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.
kernel_dontaudit_search_sysctl(locate_t)
corecmd_exec_bin(locate_t)
-@@ -50,6 +51,7 @@
+@@ -48,8 +49,11 @@
+ fs_getattr_all_files(locate_t)
+ fs_getattr_all_pipes(locate_t)
fs_getattr_all_symlinks(locate_t)
++fs_getattr_all_blk_files(locate_t)
++fs_getattr_all_chr_files(locate_t)
fs_list_all(locate_t)
fs_list_inotifyfs(locate_t)
+fs_read_noxattr_fs_symlinks(locate_t)
@@ -5770,7 +5811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.7.15/policy/modules/apps/wm.if
--- nsaserefpolicy/policy/modules/apps/wm.if 2009-07-27 18:11:17.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/apps/wm.if 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/apps/wm.if 2010-03-18 17:08:48.000000000 -0400
@@ -30,6 +30,7 @@
template(`wm_role_template',`
gen_require(`
@@ -5784,8 +5825,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
allow $1_wm_t $3:unix_stream_socket connectto;
+ allow $3 $1_wm_t:unix_stream_socket connectto;
-+ allow $3 $1_wm_t:process signal;
-+ allow $1_wm_t $3:process signull;
++ allow $3 $1_wm_t:process { signal sigchld };
++ allow $1_wm_t $3:process { signull sigkill };
+
+ allow $1_wm_t $3:dbus send_msg;
+ allow $3 $1_wm_t:dbus send_msg;
@@ -5876,8 +5917,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.15/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/kernel/corenetwork.te.in 2010-03-18 11:49:55.000000000 -0400
-@@ -65,6 +65,7 @@
++++ serefpolicy-3.7.15/policy/modules/kernel/corenetwork.te.in 2010-03-18 17:12:03.000000000 -0400
+@@ -25,6 +25,7 @@
+ #
+ type tun_tap_device_t;
+ dev_node(tun_tap_device_t)
++mls_trusted_object(tun_tap_device_t)
+
+ ########################################
+ #
+@@ -65,6 +66,7 @@
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
@@ -5885,7 +5934,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
network_port(afs_pt, udp,7002,s0)
-@@ -79,6 +80,7 @@
+@@ -73,12 +75,14 @@
+ network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
+ network_port(amavisd_recv, tcp,10024,s0)
+ network_port(amavisd_send, tcp,10025,s0)
++network_port(amqp, tcp,5171,s0, udp,5171,s0, tcp,5172,s0, udp,5172,s0)
+ network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
+ network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
+ network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
@@ -5893,7 +5949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(certmaster, tcp,51235,s0)
network_port(chronyd, udp,323,s0)
-@@ -86,6 +88,7 @@
+@@ -86,6 +90,7 @@
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
network_port(cobbler, tcp,25151,s0)
@@ -5901,7 +5957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
-@@ -98,7 +101,9 @@
+@@ -98,7 +103,9 @@
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
network_port(epmap, tcp,135,s0, udp,135,s0)
@@ -5911,7 +5967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -132,32 +137,43 @@
+@@ -132,32 +139,43 @@
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
@@ -5955,7 +6011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -177,16 +193,18 @@
+@@ -177,16 +195,18 @@
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
@@ -5975,7 +6031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(swat, tcp,901,s0)
network_port(syslogd, udp,514,s0)
-@@ -201,7 +219,7 @@
+@@ -201,7 +221,7 @@
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5997,7 +6053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.15/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-03-05 10:46:32.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/kernel/devices.if 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/kernel/devices.if 2010-03-18 12:03:03.000000000 -0400
@@ -934,6 +934,42 @@
########################################
@@ -6101,8 +6157,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.15/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-03-05 10:46:32.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/kernel/devices.te 2010-03-18 11:49:55.000000000 -0400
-@@ -210,7 +210,7 @@
++++ serefpolicy-3.7.15/policy/modules/kernel/devices.te 2010-03-18 17:12:32.000000000 -0400
+@@ -101,6 +101,7 @@
+ #
+ type kvm_device_t;
+ dev_node(kvm_device_t)
++mls_trusted_object(kvm_device_t)
+
+ #
+ # Type for /dev/lirc
+@@ -210,7 +211,7 @@
files_mountpoint(sysfs_t)
fs_type(sysfs_t)
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
@@ -6111,7 +6175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
#
# Type for /dev/tpm
#
-@@ -239,6 +239,12 @@
+@@ -239,6 +240,12 @@
dev_node(usb_device_t)
#
@@ -6124,7 +6188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
# userio_device_t is the type for /dev/uio[0-9]+
#
type userio_device_t;
-@@ -289,5 +295,6 @@
+@@ -289,5 +296,6 @@
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -6241,7 +6305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.15/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/kernel/domain.te 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/kernel/domain.te 2010-03-22 11:37:06.000000000 -0400
@@ -5,6 +5,21 @@
#
# Declarations
@@ -6413,7 +6477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.15/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/kernel/files.fc 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/kernel/files.fc 2010-03-22 12:41:08.000000000 -0400
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -7333,7 +7397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.15/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-03-12 11:48:14.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/kernel/filesystem.if 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/kernel/filesystem.if 2010-03-23 08:00:45.000000000 -0400
@@ -1141,7 +1141,7 @@
type cifs_t;
')
@@ -7360,7 +7424,77 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -4549,3 +4550,24 @@
+@@ -3870,6 +3871,24 @@
+
+ ########################################
+ ##
++## dontaudit Read and write block nodes on tmpfs filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_dontaudit_read_tmpfs_blk_dev',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
++')
++
++########################################
++##
+ ## Relabel character nodes on tmpfs filesystems.
+ ##
+ ##
+@@ -4432,6 +4451,44 @@
+
+ ########################################
+ ##
++## Get the attributes of all blk files with
++## a filesystem type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_getattr_all_blk_files',`
++ gen_require(`
++ attribute filesystem_type;
++ ')
++
++ getattr_blk_files_pattern($1, filesystem_type, filesystem_type)
++')
++
++########################################
++##
++## Get the attributes of all chr files with
++## a filesystem type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_getattr_all_chr_files',`
++ gen_require(`
++ attribute filesystem_type;
++ ')
++
++ getattr_chr_files_pattern($1, filesystem_type, filesystem_type)
++')
++
++########################################
++##
+ ## Do not audit attempts to get the attributes
+ ## of all files with a filesystem type.
+ ##
+@@ -4549,3 +4606,24 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -7387,8 +7521,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.15/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-03-12 11:48:14.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/kernel/filesystem.te 2010-03-18 11:49:55.000000000 -0400
-@@ -172,6 +172,7 @@
++++ serefpolicy-3.7.15/policy/modules/kernel/filesystem.te 2010-03-18 17:04:39.000000000 -0400
+@@ -53,6 +53,7 @@
+ fs_type(anon_inodefs_t)
+ files_mountpoint(anon_inodefs_t)
+ genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
++mls_trusted_object(anon_inodefs_t)
+
+ type bdev_t;
+ fs_type(bdev_t)
+@@ -172,6 +173,7 @@
fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
@@ -7396,7 +7538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
allow tmpfs_t noxattrfs:filesystem associate;
-@@ -242,6 +243,7 @@
+@@ -242,6 +244,7 @@
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -7542,7 +7684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
# Unlabeled process local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.15/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/kernel/selinux.if 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/kernel/selinux.if 2010-03-19 12:09:51.000000000 -0400
@@ -40,7 +40,7 @@
# because of this statement, any module which
@@ -7703,14 +7845,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t
+gen_user(guest_u, user, guest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.15/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2010-03-10 15:27:26.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/roles/staff.te 2010-03-18 11:49:55.000000000 -0400
-@@ -10,24 +10,50 @@
++++ serefpolicy-3.7.15/policy/modules/roles/staff.te 2010-03-22 12:16:23.000000000 -0400
+@@ -9,25 +9,52 @@
+ role staff_r;
userdom_unpriv_user_template(staff)
-
++fs_exec_noxattr(staff_t)
++
+# needed for sandbox
+allow staff_t self:process setexec;
-+
+
########################################
#
# Local policy
@@ -7755,7 +7899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
bluetooth_role(staff_r, staff_t)
')
-@@ -99,12 +125,18 @@
+@@ -99,12 +126,18 @@
oident_manage_user_content(staff_t)
oident_relabel_user_content(staff_t)
')
@@ -7774,7 +7918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
pyzor_role(staff_r, staff_t)
')
-@@ -119,22 +151,27 @@
+@@ -119,22 +152,27 @@
optional_policy(`
screen_role_template(staff, staff_r, staff_t)
')
@@ -7802,7 +7946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
optional_policy(`
sudo_role_template(staff, staff_r, staff_t)
-@@ -145,6 +182,7 @@
+@@ -145,6 +183,7 @@
userdom_dontaudit_use_user_terminals(staff_t)
')
@@ -7810,7 +7954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
optional_policy(`
thunderbird_role(staff_r, staff_t)
')
-@@ -169,6 +207,71 @@
+@@ -169,6 +208,71 @@
wireshark_role(staff_r, staff_t)
')
@@ -7884,7 +8028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+userhelper_console_role_template(staff, staff_t, staff_usertype)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.15/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/roles/sysadm.te 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/roles/sysadm.te 2010-03-19 13:02:16.000000000 -0400
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -7894,7 +8038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
ifndef(`enable_mls',`
userdom_security_admin_template(sysadm_t, sysadm_r)
-@@ -28,17 +28,28 @@
+@@ -28,17 +28,29 @@
corecmd_exec_shell(sysadm_t)
@@ -7902,6 +8046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
+
mls_process_read_up(sysadm_t)
+mls_file_read_to_clearance(sysadm_t)
++mls_process_write_to_clearance(sysadm_t)
ubac_process_exempt(sysadm_t)
ubac_file_exempt(sysadm_t)
@@ -7923,7 +8068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -70,7 +81,9 @@
+@@ -70,7 +82,9 @@
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -7934,7 +8079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -86,9 +99,11 @@
+@@ -86,9 +100,11 @@
auditadm_role_change(sysadm_r)
')
@@ -7946,7 +8091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
backup_run(sysadm_t, sysadm_r)
-@@ -98,17 +113,25 @@
+@@ -98,17 +114,25 @@
bind_run_ndc(sysadm_t, sysadm_r)
')
@@ -7972,7 +8117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
certwatch_run(sysadm_t, sysadm_r)
-@@ -126,16 +149,18 @@
+@@ -126,16 +150,18 @@
consoletype_run(sysadm_t, sysadm_r)
')
@@ -7993,7 +8138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -165,9 +190,11 @@
+@@ -165,9 +191,11 @@
ethereal_run_tethereal(sysadm_t, sysadm_r)
')
@@ -8005,7 +8150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
firstboot_run(sysadm_t, sysadm_r)
-@@ -177,6 +204,7 @@
+@@ -177,6 +205,7 @@
fstools_run(sysadm_t, sysadm_r)
')
@@ -8013,7 +8158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
games_role(sysadm_r, sysadm_t)
')
-@@ -192,6 +220,7 @@
+@@ -192,6 +221,7 @@
optional_policy(`
gpg_role(sysadm_r, sysadm_t)
')
@@ -8021,7 +8166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
hostname_run(sysadm_t, sysadm_r)
-@@ -205,6 +234,9 @@
+@@ -205,6 +235,9 @@
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -8031,7 +8176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -212,12 +244,18 @@
+@@ -212,12 +245,18 @@
')
optional_policy(`
@@ -8050,7 +8195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
kudzu_run(sysadm_t, sysadm_r)
-@@ -227,9 +265,11 @@
+@@ -227,9 +266,11 @@
libs_run_ldconfig(sysadm_t, sysadm_r)
')
@@ -8062,7 +8207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
logrotate_run(sysadm_t, sysadm_r)
-@@ -252,8 +292,10 @@
+@@ -252,8 +293,10 @@
optional_policy(`
mount_run(sysadm_t, sysadm_r)
@@ -8073,7 +8218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mozilla_role(sysadm_r, sysadm_t)
')
-@@ -261,6 +303,7 @@
+@@ -261,6 +304,7 @@
optional_policy(`
mplayer_role(sysadm_r, sysadm_t)
')
@@ -8081,7 +8226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mta_role(sysadm_r, sysadm_t)
-@@ -308,8 +351,14 @@
+@@ -308,8 +352,14 @@
')
optional_policy(`
@@ -8096,7 +8241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
quota_run(sysadm_t, sysadm_r)
-@@ -319,9 +368,11 @@
+@@ -319,9 +369,11 @@
raid_domtrans_mdadm(sysadm_t)
')
@@ -8108,7 +8253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
-@@ -331,9 +382,11 @@
+@@ -331,9 +383,11 @@
rpm_run(sysadm_t, sysadm_r)
')
@@ -8120,7 +8265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rsync_exec(sysadm_t)
-@@ -358,8 +411,14 @@
+@@ -358,8 +412,14 @@
')
optional_policy(`
@@ -8135,7 +8280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
-@@ -369,6 +428,7 @@
+@@ -369,6 +429,7 @@
staff_role_change(sysadm_r)
')
@@ -8143,7 +8288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
su_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -376,15 +436,18 @@
+@@ -376,15 +437,18 @@
optional_policy(`
sudo_role_template(sysadm, sysadm_r, sysadm_t)
')
@@ -8162,7 +8307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -393,17 +456,21 @@
+@@ -393,17 +457,21 @@
tripwire_run_twprint(sysadm_t, sysadm_r)
')
@@ -8184,7 +8329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
unconfined_domtrans(sysadm_t)
-@@ -417,9 +484,11 @@
+@@ -417,9 +485,11 @@
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -8196,7 +8341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -427,9 +496,15 @@
+@@ -427,9 +497,15 @@
usermanage_run_useradd(sysadm_t, sysadm_r)
')
@@ -8212,7 +8357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
vpn_run(sysadm_t, sysadm_r)
-@@ -440,13 +515,26 @@
+@@ -440,13 +516,26 @@
')
optional_policy(`
@@ -8926,7 +9071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.15/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/roles/unconfineduser.te 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/roles/unconfineduser.te 2010-03-18 12:51:27.000000000 -0400
@@ -0,0 +1,417 @@
+policy_module(unconfineduser, 1.0.0)
+
@@ -9006,7 +9151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
+init_run_daemon(unconfined_t, unconfined_r)
+init_domtrans_script(unconfined_t)
-+init_chat(unconfined_t)
++init_telinit(unconfined_t)
+
+libs_run_ldconfig(unconfined_t, unconfined_r)
+
@@ -9347,8 +9492,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.15/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-03-10 15:27:39.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/roles/unprivuser.te 2010-03-18 11:49:55.000000000 -0400
-@@ -17,6 +17,7 @@
++++ serefpolicy-3.7.15/policy/modules/roles/unprivuser.te 2010-03-22 12:16:15.000000000 -0400
+@@ -13,10 +13,13 @@
+
+ userdom_unpriv_user_template(user)
+
++fs_exec_noxattr(user_t)
++
+ optional_policy(`
apache_role(user_r, user_t)
')
@@ -9356,7 +9507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
optional_policy(`
auth_role(user_r, user_t)
')
-@@ -109,11 +110,25 @@
+@@ -109,11 +112,25 @@
optional_policy(`
rssh_role(user_r, user_t)
')
@@ -9382,7 +9533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
optional_policy(`
spamassassin_role(user_r, user_t)
')
-@@ -154,6 +169,12 @@
+@@ -154,6 +171,12 @@
wireshark_role(user_r, user_t)
')
@@ -9397,7 +9548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.15/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-03-10 15:28:09.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/roles/xguest.te 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/roles/xguest.te 2010-03-22 12:15:44.000000000 -0400
@@ -15,7 +15,7 @@
##
@@ -9711,7 +9862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.15/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/services/abrt.te 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/abrt.te 2010-03-22 11:56:03.000000000 -0400
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -10374,7 +10525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.15/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/services/apache.fc 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/apache.fc 2010-03-22 14:22:23.000000000 -0400
@@ -2,12 +2,19 @@
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
@@ -10444,7 +10595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -47,16 +75,21 @@
+@@ -47,16 +75,22 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -10462,11 +10613,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
')
-@@ -64,11 +97,34 @@
+@@ -64,11 +98,34 @@
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -12594,8 +12746,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.15/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/services/boinc.te 2010-03-18 11:49:55.000000000 -0400
-@@ -0,0 +1,80 @@
++++ serefpolicy-3.7.15/policy/modules/services/boinc.te 2010-03-19 09:12:32.000000000 -0400
+@@ -0,0 +1,81 @@
+
+policy_module(boinc,1.0.0)
+
@@ -12625,7 +12777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+#
+
+allow boinc_t self:capability { kill };
-+allow boinc_t self:process { execmem fork setsched signal };
++allow boinc_t self:process { execmem fork setsched signal sigkill };
+
+allow boinc_t self:fifo_file rw_fifo_file_perms;
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
@@ -12671,6 +12823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+term_dontaudit_getattr_ptmx(boinc_t)
+
+miscfiles_read_localization(boinc_t)
++miscfiles_read_certs(boinc_t)
+
+logging_send_syslog_msg(boinc_t)
+
@@ -12905,8 +13058,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
+dev_search_sysfs(cachefiles_kernel_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.15/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 2010-02-16 14:58:22.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/services/ccs.te 2010-03-18 11:49:55.000000000 -0400
-@@ -114,5 +114,10 @@
++++ serefpolicy-3.7.15/policy/modules/services/ccs.te 2010-03-18 14:03:57.000000000 -0400
+@@ -114,5 +114,15 @@
')
optional_policy(`
@@ -12915,6 +13068,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.
+')
+
+optional_policy(`
++ qpidd_rw_semaphores(ccs_t)
++ qpidd_rw_shm(ccs_t)
++')
++
++optional_policy(`
unconfined_use_fds(ccs_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.15/policy/modules/services/certmonger.fc
@@ -13744,7 +13902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.15/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/services/consolekit.te 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/consolekit.te 2010-03-18 12:51:48.000000000 -0400
@@ -16,12 +16,15 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -13762,7 +13920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
-@@ -59,28 +62,36 @@
+@@ -59,6 +62,8 @@
term_use_all_terms(consolekit_t)
auth_use_nsswitch(consolekit_t)
@@ -13771,10 +13929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
init_telinit(consolekit_t)
init_rw_utmp(consolekit_t)
-+init_chat(consolekit_t)
-
- logging_send_syslog_msg(consolekit_t)
- logging_send_audit_msgs(consolekit_t)
+@@ -68,19 +73,24 @@
miscfiles_read_localization(consolekit_t)
@@ -13803,7 +13958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
')
optional_policy(`
-@@ -100,19 +111,33 @@
+@@ -100,19 +110,33 @@
')
optional_policy(`
@@ -13839,14 +13994,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.15/policy/modules/services/corosync.fc
--- nsaserefpolicy/policy/modules/services/corosync.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/services/corosync.fc 2010-03-18 11:49:55.000000000 -0400
-@@ -0,0 +1,14 @@
++++ serefpolicy-3.7.15/policy/modules/services/corosync.fc 2010-03-20 05:29:10.000000000 -0400
+@@ -0,0 +1,15 @@
+
+/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+
+/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
++/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
+/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
+
@@ -13969,8 +14125,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.15/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/services/corosync.te 2010-03-18 11:49:55.000000000 -0400
-@@ -0,0 +1,115 @@
++++ serefpolicy-3.7.15/policy/modules/services/corosync.te 2010-03-20 05:34:08.000000000 -0400
+@@ -0,0 +1,122 @@
+
+policy_module(corosync,1.0.0)
+
@@ -14010,8 +14166,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+# corosync local policy
+#
+
-+allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
-+allow corosync_t self:process { setrlimit setsched signal };
++allow corosync_t self:capability { dac_override sys_nice sys_ptrace sys_resource ipc_lock };
++allow corosync_t self:process { setrlimit setsched signal signull };
+
+allow corosync_t self:fifo_file rw_fifo_file_perms;
+allow corosync_t self:sem create_sem_perms;
@@ -14019,6 +14175,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+allow corosync_t self:unix_dgram_socket create_socket_perms;
+allow corosync_t self:udp_socket create_socket_perms;
+
++can_exec(corosync_t,corosync_exec_t)
++
+# tmp files
+manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
@@ -14045,16 +14203,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+files_pid_filetrans(corosync_t,corosync_var_run_t, { file sock_file })
+
+kernel_read_system_state(corosync_t)
++kernel_read_network_state(corosync_t)
+
+domain_read_all_domains_state(corosync_t)
+
+corenet_udp_bind_netsupport_port(corosync_t)
+
+corecmd_exec_bin(corosync_t)
++corecmd_exec_shell(corosync_t)
+
+dev_read_urand(corosync_t)
+
+files_manage_mounttab(corosync_t)
++files_read_usr_files(corosync_t)
+
+auth_use_nsswitch(corosync_t)
+
@@ -14065,6 +14226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+
+logging_send_syslog_msg(corosync_t)
+
++userdom_delete_user_tmpfs_files(corosync_t)
+userdom_rw_user_tmpfs_files(corosync_t)
+
+optional_policy(`
@@ -14086,6 +14248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+optional_policy(`
+ rgmanager_manage_tmpfs_files(corosync_t)
+')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.15/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400
+++ serefpolicy-3.7.15/policy/modules/services/cron.fc 2010-03-18 11:49:55.000000000 -0400
@@ -14108,7 +14271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.15/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/services/cron.if 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/cron.if 2010-03-22 15:06:29.000000000 -0400
@@ -12,6 +12,10 @@
##
#
@@ -14120,17 +14283,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
##############################
#
# Declarations
-@@ -34,6 +38,9 @@
+@@ -34,8 +38,12 @@
allow $1_t self:process { setsched signal_perms };
allow $1_t self:fifo_file rw_fifo_file_perms;
+- allow $1_t $1_tmp_t:file manage_file_perms;
+- files_tmp_filetrans($1_t, $1_tmp_t, file)
+ allow $1_t crond_t:process signal;
+ allow $1_t crond_var_run_t:file read_file_perms;
+
- allow $1_t $1_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_t, $1_tmp_t, file)
++ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
-@@ -62,6 +69,7 @@
+ # create files in /var/spool/cron
+ manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
+@@ -62,6 +70,7 @@
logging_send_syslog_msg($1_t)
logging_send_audit_msgs($1_t)
@@ -14138,7 +14306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
init_dontaudit_write_utmp($1_t)
init_read_utmp($1_t)
-@@ -154,27 +162,14 @@
+@@ -154,27 +163,14 @@
#
interface(`cron_unconfined_role',`
gen_require(`
@@ -14168,7 +14336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
optional_policy(`
gen_require(`
class dbus send_msg;
-@@ -263,6 +258,7 @@
+@@ -263,6 +259,7 @@
domtrans_pattern(system_cronjob_t, $2, $1)
domtrans_pattern(crond_t, $2, $1)
@@ -14176,16 +14344,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
role system_r types $1;
')
-@@ -408,7 +404,7 @@
+@@ -408,7 +405,25 @@
type crond_t;
')
- allow $1 crond_t:fifo_file { getattr read write };
+ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
++## Read and write inherited user spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_rw_inherited_user_spool_files',`
++ gen_require(`
++ type user_cron_spool_t;
++ ')
++
++ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
')
########################################
-@@ -554,7 +550,7 @@
+@@ -554,7 +569,7 @@
type system_cronjob_t;
')
@@ -14194,7 +14380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
########################################
-@@ -587,11 +583,14 @@
+@@ -587,11 +602,14 @@
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -14210,7 +14396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
########################################
-@@ -627,7 +626,48 @@
+@@ -627,7 +645,48 @@
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -14261,7 +14447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.15/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/services/cron.te 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/cron.te 2010-03-19 12:04:21.000000000 -0400
@@ -38,8 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -15195,8 +15381,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.15/policy/modules/services/denyhosts.te
--- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/services/denyhosts.te 2010-03-18 11:49:55.000000000 -0400
-@@ -0,0 +1,72 @@
++++ serefpolicy-3.7.15/policy/modules/services/denyhosts.te 2010-03-22 11:56:15.000000000 -0400
+@@ -0,0 +1,74 @@
+
+policy_module(denyhosts, 1.0.0)
+
@@ -15258,6 +15444,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+
+kernel_read_system_state(denyhosts_t)
+
++files_read_etc_files(denyhosts_t)
++
+# /var/log/secure
+logging_read_generic_logs(denyhosts_t)
+
@@ -15271,8 +15459,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.15/policy/modules/services/devicekit.fc
--- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/services/devicekit.fc 2010-03-18 11:49:55.000000000 -0400
-@@ -1,8 +1,12 @@
++++ serefpolicy-3.7.15/policy/modules/services/devicekit.fc 2010-03-20 06:19:27.000000000 -0400
+@@ -1,8 +1,14 @@
/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
@@ -15280,12 +15468,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
+/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
++/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
-/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
++/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.15/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.7.15/policy/modules/services/devicekit.if 2010-03-18 11:49:55.000000000 -0400
@@ -17385,7 +17575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.15/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/services/kerberos.if 2010-03-18 11:49:55.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/kerberos.if 2010-03-22 10:23:00.000000000 -0400
@@ -74,7 +74,7 @@
')
@@ -18349,7 +18539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+term_getattr_unallocated_ttys(munin_system_plugin_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.15/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2010-03-12 11:48:14.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/services/mysql.te 2010-03-18 11:49:56.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/mysql.te 2010-03-22 12:41:07.000000000 -0400
@@ -65,6 +65,7 @@
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -18358,7 +18548,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
-@@ -176,6 +177,7 @@
+@@ -157,6 +158,7 @@
+ allow mysqld_safe_t self:capability { chown dac_override fowner kill };
+ dontaudit mysqld_safe_t self:capability sys_ptrace;
+ allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
++allow mysqld_safe_t self:process { setsched getsched };
+
+ read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
+
+@@ -176,6 +178,7 @@
domain_read_all_domains_state(mysqld_safe_t)
@@ -18632,7 +18830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.15/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/services/nagios.te 2010-03-18 11:49:56.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/nagios.te 2010-03-19 09:13:50.000000000 -0400
@@ -6,17 +6,23 @@
# Declarations
#
@@ -18716,16 +18914,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
########################################
#
# Nagios local policy
-@@ -60,6 +107,8 @@
+@@ -60,6 +107,9 @@
manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
-+rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
++manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
++files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
+
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
-@@ -76,6 +125,9 @@
+@@ -76,6 +126,9 @@
corenet_udp_sendrecv_all_ports(nagios_t)
corenet_tcp_connect_all_ports(nagios_t)
@@ -18735,7 +18934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
dev_read_sysfs(nagios_t)
dev_read_urand(nagios_t)
-@@ -86,6 +138,7 @@
+@@ -86,6 +139,7 @@
files_read_etc_files(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
@@ -18743,7 +18942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
fs_getattr_all_fs(nagios_t)
fs_search_auto_mountpoints(nagios_t)
-@@ -118,61 +171,63 @@
+@@ -118,61 +172,63 @@
udev_read_db(nagios_t)
')
@@ -18839,7 +19038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
kernel_read_system_state(nrpe_t)
kernel_read_kernel_sysctls(nrpe_t)
-@@ -183,11 +238,15 @@
+@@ -183,11 +239,15 @@
dev_read_urand(nrpe_t)
domain_use_interactive_fds(nrpe_t)
@@ -18855,7 +19054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
logging_send_syslog_msg(nrpe_t)
miscfiles_read_localization(nrpe_t)
-@@ -199,6 +258,11 @@
+@@ -199,6 +259,11 @@
')
optional_policy(`
@@ -18867,7 +19066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
seutil_sigchld_newrole(nrpe_t)
')
-@@ -209,3 +273,149 @@
+@@ -209,3 +274,149 @@
optional_policy(`
udev_read_db(nrpe_t)
')
@@ -19155,7 +19354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.15/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/services/networkmanager.te 2010-03-18 11:49:56.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/networkmanager.te 2010-03-22 14:25:23.000000000 -0400
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -19166,7 +19365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
-@@ -33,13 +36,14 @@
+@@ -33,14 +36,16 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
@@ -19181,9 +19380,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
+allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
++allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom };
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
-@@ -51,8 +55,14 @@
+
+@@ -51,8 +56,14 @@
manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -19200,7 +19401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
-@@ -62,7 +72,9 @@
+@@ -62,7 +73,9 @@
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
@@ -19211,7 +19412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
-@@ -81,13 +93,18 @@
+@@ -81,13 +94,18 @@
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
corenet_sendrecv_all_client_packets(NetworkManager_t)
@@ -19230,7 +19431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
mls_file_read_all_levels(NetworkManager_t)
-@@ -98,15 +115,20 @@
+@@ -98,15 +116,20 @@
domain_use_interactive_fds(NetworkManager_t)
domain_read_confined_domains_state(NetworkManager_t)
@@ -19252,7 +19453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
-@@ -116,25 +138,40 @@
+@@ -116,25 +139,41 @@
seutil_read_config(NetworkManager_t)
@@ -19279,6 +19480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
# Read gnome-keyring
++userdom_read_home_certs(NetworkManager_t)
userdom_read_user_home_content_files(NetworkManager_t)
+userdom_dgram_send(NetworkManager_t)
+
@@ -19300,7 +19502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -146,8 +183,25 @@
+@@ -146,8 +185,25 @@
')
optional_policy(`
@@ -19328,7 +19530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -155,23 +209,51 @@
+@@ -155,23 +211,51 @@
')
optional_policy(`
@@ -19383,7 +19585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -179,12 +261,15 @@
+@@ -179,12 +263,15 @@
')
optional_policy(`
@@ -20204,7 +20406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.15/policy/modules/services/plymouthd.if
--- nsaserefpolicy/policy/modules/services/plymouthd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/services/plymouthd.if 2010-03-18 11:49:56.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/plymouthd.if 2010-03-23 08:13:59.000000000 -0400
@@ -0,0 +1,322 @@
+## policy for plymouthd
+
@@ -22022,6 +22224,324 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.fc serefpolicy-3.7.15/policy/modules/services/qpidd.fc
+--- nsaserefpolicy/policy/modules/services/qpidd.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/qpidd.fc 2010-03-18 14:02:34.000000000 -0400
+@@ -0,0 +1,9 @@
++
++/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
++
++/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
++
++/var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0)
++
++/var/run/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_run_t,s0)
++/var/run/qpidd\.pid gen_context(system_u:object_r:qpidd_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.if serefpolicy-3.7.15/policy/modules/services/qpidd.if
+--- nsaserefpolicy/policy/modules/services/qpidd.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/qpidd.if 2010-03-18 14:04:18.000000000 -0400
+@@ -0,0 +1,236 @@
++
++## policy for qpidd
++
++########################################
++##
++## Execute a domain transition to run qpidd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`qpidd_domtrans',`
++ gen_require(`
++ type qpidd_t, qpidd_exec_t;
++ ')
++
++ domtrans_pattern($1, qpidd_exec_t, qpidd_t)
++')
++
++
++########################################
++##
++## Execute qpidd server in the qpidd domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`qpidd_initrc_domtrans',`
++ gen_require(`
++ type qpidd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
++')
++
++########################################
++##
++## Read qpidd PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`qpidd_read_pid_files',`
++ gen_require(`
++ type qpidd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 qpidd_var_run_t:file read_file_perms;
++')
++
++########################################
++##
++## Manage qpidd var_run files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`qpidd_manage_var_run',`
++ gen_require(`
++ type qpidd_var_run_t;
++ ')
++
++ manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
++ manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
++ manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
++')
++
++
++########################################
++##
++## Search qpidd lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`qpidd_search_lib',`
++ gen_require(`
++ type qpidd_var_lib_t;
++ ')
++
++ allow $1 qpidd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read qpidd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`qpidd_read_lib_files',`
++ gen_require(`
++ type qpidd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## qpidd lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`qpidd_manage_lib_files',`
++ gen_require(`
++ type qpidd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
++')
++
++########################################
++##
++## Manage qpidd var_lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`qpidd_manage_var_lib',`
++ gen_require(`
++ type qpidd_var_lib_t;
++ ')
++
++ manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
++ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
++ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an qpidd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`qpidd_admin',`
++ gen_require(`
++ type qpidd_t;
++ ')
++
++ allow $1 qpidd_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, qpidd_t, qpidd_t)
++
++
++ gen_require(`
++ type qpidd_initrc_exec_t;
++ ')
++
++ # Allow qpidd_t to restart the apache service
++ qpidd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 qpidd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ qpidd_manage_var_run($1)
++
++ qpidd_manage_var_lib($1)
++
++')
++
++#####################################
++##
++## Allow read and write access to qpidd semaphores.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`qpidd_rw_semaphores',`
++ gen_require(`
++ type qpidd_t;
++ ')
++
++ allow $1 qpidd_t:sem rw_sem_perms;
++')
++
++########################################
++##
++## Read and write to qpidd shared memory.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`qpidd_rw_shm',`
++ gen_require(`
++ type qpidd_t;
++ ')
++
++ allow $1 qpidd_t:shm rw_shm_perms;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.te serefpolicy-3.7.15/policy/modules/services/qpidd.te
+--- nsaserefpolicy/policy/modules/services/qpidd.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/qpidd.te 2010-03-18 14:04:35.000000000 -0400
+@@ -0,0 +1,61 @@
++policy_module(qpidd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type qpidd_t;
++type qpidd_exec_t;
++init_daemon_domain(qpidd_t, qpidd_exec_t)
++
++permissive qpidd_t;
++
++type qpidd_initrc_exec_t;
++init_script_file(qpidd_initrc_exec_t)
++
++type qpidd_var_run_t;
++files_pid_file(qpidd_var_run_t)
++
++type qpidd_var_lib_t;
++files_type(qpidd_var_lib_t)
++
++########################################
++#
++# qpidd local policy
++#
++
++allow qpidd_t self:process signull;
++allow qpidd_t self:fifo_file rw_fifo_file_perms;
++allow qpidd_t self:sem create_sem_perms;
++allow qpidd_t self:shm create_shm_perms;
++allow qpidd_t self:tcp_socket create_stream_socket_perms;
++allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
++manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
++files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir } )
++
++manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
++manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
++files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir })
++
++kernel_read_system_state(qpidd_t)
++
++corenet_all_recvfrom_unlabeled(qpidd_t)
++corenet_all_recvfrom_netlabel(qpidd_t)
++corenet_tcp_bind_generic_node(qpidd_t)
++corenet_tcp_sendrecv_generic_if(qpidd_t)
++corenet_tcp_sendrecv_generic_node(qpidd_t)
++corenet_tcp_sendrecv_all_ports(qpidd_t)
++corenet_tcp_bind_amqp_port(qpidd_t)
++
++dev_read_urand(qpidd_t)
++
++files_read_etc_files(qpidd_t)
++
++logging_send_syslog_msg(qpidd_t)
++
++miscfiles_read_localization(qpidd_t)
++
++sysnet_dns_name_resolve(qpidd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.15/policy/modules/services/radvd.te
--- nsaserefpolicy/policy/modules/services/radvd.te 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.15/policy/modules/services/radvd.te 2010-03-18 11:49:56.000000000 -0400
@@ -22311,8 +22831,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.15/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/services/rgmanager.te 2010-03-18 11:49:56.000000000 -0400
-@@ -0,0 +1,223 @@
++++ serefpolicy-3.7.15/policy/modules/services/rgmanager.te 2010-03-20 05:54:01.000000000 -0400
+@@ -0,0 +1,226 @@
+
+policy_module(rgmanager,1.0.0)
+
@@ -22404,19 +22924,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+domain_getattr_all_domains(rgmanager_t)
+domain_dontaudit_ptrace_all_domains(rgmanager_t)
+
++storage_raw_read_fixed_disk(rgmanager_t)
+storage_getattr_fixed_disk_dev(rgmanager_t)
+
+# needed by resources scripts
+auth_read_all_files_except_shadow(rgmanager_t)
+auth_dontaudit_getattr_shadow(rgmanager_t)
+
-+files_list_all(rgmanager_t)
++files_create_var_run_dirs(rgmanager_t)
+files_getattr_all_symlinks(rgmanager_t)
++files_list_all(rgmanager_t)
+files_manage_mnt_dirs(rgmanager_t)
++files_manage_mnt_files(rgmanager_t)
++files_manage_mnt_symlinks(rgmanager_t)
++files_manage_isid_type_files(rgmanager_t)
+files_manage_isid_type_dirs(rgmanager_t)
+
-+files_create_var_run_dirs(rgmanager_t)
-+
+fs_getattr_all_fs(rgmanager_t)
+
+term_getattr_pty_fs(rgmanager_t)
@@ -22565,7 +23088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.15/policy/modules/services/rhcs.if
--- nsaserefpolicy/policy/modules/services/rhcs.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/services/rhcs.if 2010-03-18 11:49:56.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/rhcs.if 2010-03-20 05:41:37.000000000 -0400
@@ -0,0 +1,424 @@
+## SELinux policy for RHCS - Red Hat Cluster Suite
+
@@ -22582,9 +23105,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+#
+template(`rhcs_domain_template',`
+
-+ gen_require(`
-+ attribute cluster_domain;
-+ ')
++ gen_require(`
++ attribute cluster_domain;
++ ')
+
+ ##############################
+ #
@@ -22993,8 +23516,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.15/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/services/rhcs.te 2010-03-18 11:49:56.000000000 -0400
-@@ -0,0 +1,248 @@
++++ serefpolicy-3.7.15/policy/modules/services/rhcs.te 2010-03-20 05:47:57.000000000 -0400
+@@ -0,0 +1,239 @@
+
+policy_module(rhcs,1.1.0)
+
@@ -23055,10 +23578,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
+init_rw_script_tmp_files(dlm_controld_t)
+
-+optional_policy(`
-+ ccs_stream_connect(dlm_controld_t)
-+')
-+
+#######################################
+#
+# fenced local policy
@@ -23083,8 +23602,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
+stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
++kernel_read_system_state(fenced_t)
++
+corecmd_exec_bin(fenced_t)
+
++corenet_tcp_connect_http_port(fenced_t)
++
+dev_read_sysfs(fenced_t)
+dev_read_urand(fenced_t)
+
@@ -23099,14 +23622,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
+files_read_usr_symlinks(fenced_t)
+
-+corenet_tcp_connect_http_port(fenced_t)
+tunable_policy(`fenced_can_network_connect',`
+ corenet_tcp_connect_all_ports(fenced_t)
+')
+
+optional_policy(`
+ ccs_read_config(fenced_t)
-+ ccs_stream_connect(fenced_t)
++ ccs_stream_connect(cluster_domain)
+')
+
+optional_policy(`
@@ -23140,10 +23662,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+init_rw_script_tmp_files(gfs_controld_t)
+
+optional_policy(`
-+ ccs_stream_connect(gfs_controld_t)
-+')
-+
-+optional_policy(`
+ lvm_exec(gfs_controld_t)
+ dev_rw_lvm_control(gfs_controld_t)
+')
@@ -23169,7 +23687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+# qdiskd local policy
+#
+
-+allow qdiskd_t self:capability ipc_lock;
++allow qdiskd_t self:capability { ipc_lock sys_boot };
+
+allow qdiskd_t self:tcp_socket create_stream_socket_perms;
+allow qdiskd_t self:udp_socket create_socket_perms;
@@ -23209,10 +23727,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+files_read_etc_files(qdiskd_t)
+
+optional_policy(`
-+ ccs_stream_connect(qdiskd_t)
-+')
-+
-+optional_policy(`
+ netutils_domtrans_ping(qdiskd_t)
+')
+
@@ -23241,7 +23755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+miscfiles_read_localization(cluster_domain)
+
+optional_policy(`
-+ corosync_stream_connect(cluster_domain)
++ corosync_stream_connect(cluster_domain)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.15/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400
@@ -26038,7 +26552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.15/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/services/sssd.te 2010-03-18 11:49:56.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/sssd.te 2010-03-22 10:23:27.000000000 -0400
@@ -13,6 +13,9 @@
type sssd_initrc_exec_t;
init_script_file(sssd_initrc_exec_t)
@@ -26056,7 +26570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
-allow sssd_t self:capability { sys_nice setgid setuid };
-allow sssd_t self:process { setsched signal getsched };
+allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
-+allow sssd_t self:process { setsched sigkill signal getsched };
++allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
allow sssd_t self:fifo_file rw_file_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -26066,7 +26580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
-@@ -49,12 +55,17 @@
+@@ -49,12 +55,21 @@
dev_read_urand(sssd_t)
@@ -26079,12 +26593,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
fs_list_inotifyfs(sssd_t)
++selinux_validate_context(sssd_t)
++
++seutil_read_file_contexts(sssd_t)
++
+mls_file_read_to_clearance(sssd_t)
+
auth_use_nsswitch(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
-@@ -66,6 +77,8 @@
+@@ -66,7 +81,13 @@
miscfiles_read_localization(sssd_t)
@@ -26093,6 +26611,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
+ ')
++
++optional_policy(`
++ kerberos_manage_host_rcache(sssd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.15/policy/modules/services/sysstat.te
--- nsaserefpolicy/policy/modules/services/sysstat.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.15/policy/modules/services/sysstat.te 2010-03-18 11:49:56.000000000 -0400
@@ -26750,8 +27273,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.15/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/services/virt.fc 2010-03-18 11:49:56.000000000 -0400
-@@ -8,6 +8,10 @@
++++ serefpolicy-3.7.15/policy/modules/services/virt.fc 2010-03-18 17:16:00.000000000 -0400
+@@ -8,18 +8,22 @@
/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
@@ -26761,23 +27284,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
- /var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
+-/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
++/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0-mls_systemhigh)
+
+ /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+ /var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+ /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+ /var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+-/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
++/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
+
+ /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+ /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
++/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
+
+ /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.15/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/services/virt.if 2010-03-18 11:49:56.000000000 -0400
-@@ -22,6 +22,11 @@
++++ serefpolicy-3.7.15/policy/modules/services/virt.if 2010-03-23 07:52:17.000000000 -0400
+@@ -21,6 +21,12 @@
+ type $1_t, virt_domain;
domain_type($1_t)
role system_r types $1_t;
-
++ mls_rangetrans_target($1_t)
++
+ type $1_devpts_t;
+ term_pty($1_devpts_t)
+
+ domain_user_exemption_target($1_t)
-+
+
type $1_tmp_t;
files_tmp_file($1_tmp_t)
-
-@@ -31,10 +36,14 @@
+@@ -31,13 +37,19 @@
type $1_image_t, virt_image_type;
files_type($1_image_t)
dev_node($1_image_t)
@@ -26785,14 +27324,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
type $1_var_run_t;
files_pid_file($1_var_run_t)
-
-+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
-+ term_create_pty($1_t, $1_devpts_t)
++ mls_trusted_object($1_var_run_t)
+
++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
++ term_create_pty($1_t, $1_devpts_t)
+
manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
manage_files_pattern($1_t, $1_image_t, $1_image_t)
read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
-@@ -62,6 +71,9 @@
++ rw_chr_files_pattern($1_t, $1_image_t, $1_image_t)
+ rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
+
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+@@ -62,6 +74,9 @@
files_pid_filetrans($1_t, $1_var_run_t, { dir file })
stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t)
@@ -26802,7 +27346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -293,6 +305,7 @@
+@@ -293,6 +308,7 @@
files_search_var_lib($1)
read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
@@ -26810,7 +27354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -505,3 +518,32 @@
+@@ -505,3 +521,32 @@
virt_manage_log($1)
')
@@ -26845,7 +27389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.15/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/services/virt.te 2010-03-18 11:49:56.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/virt.te 2010-03-19 14:33:17.000000000 -0400
@@ -15,6 +15,13 @@
##
@@ -26860,7 +27404,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
## Allow virt to manage nfs files
##
##
-@@ -107,6 +114,7 @@
+@@ -67,6 +74,7 @@
+
+ type virt_log_t;
+ logging_log_file(virt_log_t)
++mls_trusted_object(virt_log_t)
+
+ type virt_var_run_t;
+ files_pid_file(virt_var_run_t)
+@@ -107,6 +115,7 @@
allow svirt_t svirt_image_t:dir search_dir_perms;
manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
@@ -26868,7 +27420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
read_files_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -118,10 +126,13 @@
+@@ -118,10 +127,13 @@
corenet_udp_sendrecv_all_ports(svirt_t)
corenet_udp_bind_generic_node(svirt_t)
corenet_udp_bind_all_ports(svirt_t)
@@ -26882,7 +27434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
userdom_read_all_users_state(svirt_t)
tunable_policy(`virt_use_comm',`
-@@ -129,6 +140,11 @@
+@@ -129,6 +141,11 @@
dev_rw_printer(svirt_t)
')
@@ -26894,7 +27446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
-@@ -153,6 +169,10 @@
+@@ -153,6 +170,10 @@
xen_rw_image_files(svirt_t)
')
@@ -26905,7 +27457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
########################################
#
# virtd local policy
-@@ -165,6 +185,7 @@
+@@ -165,6 +186,7 @@
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
allow virtd_t self:tcp_socket create_stream_socket_perms;
allow virtd_t self:tun_socket create_socket_perms;
@@ -26913,7 +27465,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
-@@ -226,23 +247,31 @@
+@@ -184,6 +206,7 @@
+
+ manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
+ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
++manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+ allow virtd_t virt_image_type:file { relabelfrom relabelto };
+ allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
+
+@@ -226,23 +249,38 @@
dev_read_rand(virtd_t)
dev_rw_kvm(virtd_t)
dev_getattr_all_chr_files(virtd_t)
@@ -26942,10 +27502,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_list_inotifyfs(virtd_t)
+fs_manage_cgroup_dirs(virtd_t)
+fs_rw_cgroup_files(virtd_t)
++
++mls_fd_share_all_levels(virtd_t)
++mls_file_read_to_clearance(virtd_t)
++mls_file_write_to_clearance(virtd_t)
++mls_process_write_to_clearance(virtd_t)
++mls_socket_write_to_clearance(virtd_t)
++mls_rangetrans_source(virtd_t)
mcs_process_set_categories(virtd_t)
-@@ -259,21 +288,25 @@
+@@ -259,21 +297,30 @@
miscfiles_read_localization(virtd_t)
miscfiles_read_certs(virtd_t)
@@ -26957,8 +27524,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
logging_send_syslog_msg(virtd_t)
++selinux_validate_context(virtd_t)
++
++seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
--
++seutil_read_file_contexts(virtd_t)
+
sysnet_domtrans_ifconfig(virtd_t)
sysnet_read_config(virtd_t)
@@ -26972,7 +27543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -339,10 +372,11 @@
+@@ -339,10 +386,11 @@
')
optional_policy(`
@@ -26985,7 +27556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
optional_policy(`
-@@ -360,6 +394,7 @@
+@@ -360,6 +408,7 @@
optional_policy(`
udev_domtrans(virtd_t)
@@ -26993,7 +27564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
optional_policy(`
-@@ -371,8 +406,8 @@
+@@ -371,8 +420,8 @@
# virtual domains common policy
#
@@ -27004,7 +27575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
allow virt_domain self:fifo_file rw_file_perms;
allow virt_domain self:shm create_shm_perms;
allow virt_domain self:unix_stream_socket create_stream_socket_perms;
-@@ -399,7 +434,9 @@
+@@ -399,7 +448,9 @@
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -27014,7 +27585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
-@@ -410,11 +447,21 @@
+@@ -410,11 +461,21 @@
files_read_etc_files(virt_domain)
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
@@ -27171,7 +27742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.15/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/services/xserver.if 2010-03-18 11:49:56.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/xserver.if 2010-03-19 11:59:38.000000000 -0400
@@ -19,9 +19,10 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -27263,19 +27834,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow $1 xdm_tmp_t:dir search;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -355,6 +365,11 @@
+@@ -355,6 +365,12 @@
class x_property all_x_property_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
+ class x_client destroy;
+ class x_server manage;
++ class x_screen { saver_hide saver_show };
+ class x_pointer manage;
+ class x_keyboard { read manage };
+ type xdm_t, xserver_t;
')
##############################
-@@ -386,6 +401,14 @@
+@@ -386,6 +402,15 @@
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -27285,12 +27857,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+ allow $2 root_xdrawable_t:x_drawable write;
+ allow $2 xserver_t:x_server manage;
++ allow $2 xserver_t:x_screen { saver_hide saver_show };
+ allow $2 xserver_t:x_pointer manage;
+ allow $2 xserver_t:x_keyboard { read manage };
')
#######################################
-@@ -476,6 +499,7 @@
+@@ -476,6 +501,7 @@
xserver_use_user_fonts($2)
xserver_read_xdm_tmp_files($2)
@@ -27298,7 +27871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# X object manager
xserver_object_types_template($1)
-@@ -545,6 +569,9 @@
+@@ -545,6 +571,9 @@
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -27308,7 +27881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -598,6 +625,7 @@
+@@ -598,6 +627,7 @@
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -27316,7 +27889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -805,7 +833,7 @@
+@@ -805,7 +835,7 @@
')
files_search_pids($1)
@@ -27325,7 +27898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1224,9 +1252,20 @@
+@@ -1224,9 +1254,20 @@
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
@@ -27342,11 +27915,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+ allow $1 x_domain:x_drawable { read manage setattr show };
+ allow $1 x_domain:x_resource { write read };
-+ allow $1 root_xdrawable_t:x_drawable manage;
++ allow $1 root_xdrawable_t:x_drawable { manage read };
')
########################################
-@@ -1250,3 +1289,329 @@
+@@ -1250,3 +1291,329 @@
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -28549,8 +29122,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.15/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/system/application.te 2010-03-18 11:49:56.000000000 -0400
-@@ -7,6 +7,17 @@
++++ serefpolicy-3.7.15/policy/modules/system/application.te 2010-03-22 11:38:36.000000000 -0400
+@@ -7,6 +7,21 @@
# Executables to be run by user
attribute application_exec_type;
@@ -28565,6 +29138,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
+ afs_rw_udp_sockets(application_domain_type)
+')
+
++optional_policy(`
++ cron_rw_inherited_user_spool_files(application_domain_type)
++')
++
optional_policy(`
ssh_sigchld(application_domain_type)
ssh_rw_stream_sockets(application_domain_type)
@@ -28871,7 +29448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.15/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2010-03-09 15:39:06.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/system/fstools.te 2010-03-18 11:49:56.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/fstools.te 2010-03-22 12:10:19.000000000 -0400
@@ -118,6 +118,8 @@
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
@@ -28890,6 +29467,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
ifdef(`distro_redhat',`
optional_policy(`
+@@ -167,6 +169,10 @@
+ ')
+
+ optional_policy(`
++ hal_dontaudit_write_log(fsadm_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(fsadm_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.15/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2010-02-12 10:33:09.000000000 -0500
+++ serefpolicy-3.7.15/policy/modules/system/getty.te 2010-03-18 11:49:56.000000000 -0400
@@ -28945,7 +29533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.15/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/system/init.if 2010-03-18 11:49:56.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/init.if 2010-03-19 08:40:54.000000000 -0400
@@ -193,8 +193,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -29014,16 +29602,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+ ',`
+ term_dontaudit_use_all_ttys($1)
+ term_dontaudit_use_all_ptys($1)
-+ ')
++ ')
+
-+ # these apps are often redirect output to random log files
-+ logging_rw_all_logs($1)
++ # these apps are often redirect output to random log files
++ logging_inherit_append_all_logs($1)
+
+ optional_policy(`
+ cron_rw_pipes($1)
+ ')
+
-+ optional_policy(`
++ optional_policy(`
+ xserver_dontaudit_append_xdm_home_files($1)
+ ')
+
@@ -29037,18 +29625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -681,7 +726,9 @@
-
- # upstart uses a datagram socket instead of initctl pipe
- allow $1 self:unix_dgram_socket create_socket_perms;
-- allow $1 init_t:unix_dgram_socket sendto;
-+ allow $1 init_t:unix_stream_socket sendto;
-+ allow $1 init_t:unix_stream_socket connectto;
-+ init_chat($1)
- ')
- ')
-
-@@ -754,18 +801,19 @@
+@@ -754,18 +799,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -29072,7 +29649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -781,19 +829,39 @@
+@@ -781,23 +827,43 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -29093,11 +29670,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+##
+ ')
+ ')
+
+ ########################################
+ ##
+## Execute a file in a bin directory
+## in the initrc_t domain
+##
@@ -29110,13 +29687,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
- ')
-
- ########################################
-@@ -849,8 +917,10 @@
++')
++
++########################################
++##
+ ## Execute a init script in a specified domain.
+ ##
+ ##
+@@ -849,8 +915,10 @@
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -29127,63 +29708,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1444,7 +1514,7 @@
-
- ########################################
- ##
--## Read init script temporary data.
-+## Read and write init script temporary data.
- ##
- ##
- ##
-@@ -1452,18 +1522,18 @@
- ##
- ##
- #
--interface(`init_read_script_tmp_files',`
-+interface(`init_rw_script_tmp_files',`
- gen_require(`
- type initrc_tmp_t;
- ')
-
- files_search_tmp($1)
-- read_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
-+ rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
- ')
-
- ########################################
- ##
--## Read and write init script temporary data.
-+## Read init script temporary data.
- ##
- ##
- ##
-@@ -1471,13 +1541,13 @@
- ##
- ##
- #
--interface(`init_rw_script_tmp_files',`
-+interface(`init_read_script_tmp_files',`
- gen_require(`
- type initrc_tmp_t;
- ')
-
- files_search_tmp($1)
-- rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
-+ read_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
- ')
-
- ########################################
-@@ -1637,7 +1707,7 @@
+@@ -1637,7 +1705,7 @@
type initrc_var_run_t;
')
- dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
-+ dontaudit $1 initrc_var_run_t:file { getattr read write append };
++ dontaudit $1 initrc_var_run_t:file rw_file_perms;
')
########################################
-@@ -1712,3 +1782,76 @@
+@@ -1712,3 +1780,56 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -29218,26 +29752,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+
+########################################
+##
-+## Send and receive unix_stream_messages with
-+## init
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`init_chat',`
-+ gen_require(`
-+ type init_t;
-+ ')
-+
-+ allow $1 init_t:unix_dgram_socket sendto;
-+ allow init_t $1:unix_dgram_socket sendto;
-+')
-+
-+########################################
-+##
+## dontaudit read and write an leaked init scrip file descriptors
+##
+##
@@ -29262,7 +29776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.15/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/system/init.te 2010-03-18 11:49:56.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/init.te 2010-03-23 08:14:49.000000000 -0400
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart, false)
@@ -29371,15 +29885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -230,6 +263,7 @@
-
- # Going to single user mode
- init_telinit(initrc_t)
-+init_chat(initrc_t)
-
- can_exec(initrc_t, init_script_file_type)
-
-@@ -242,6 +276,7 @@
+@@ -242,6 +275,7 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -29387,7 +29893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -259,13 +294,19 @@
+@@ -259,13 +293,19 @@
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -29409,14 +29915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corenet_all_recvfrom_unlabeled(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
-@@ -293,12 +334,14 @@
- dev_setattr_all_chr_files(initrc_t)
- dev_rw_lvm_control(initrc_t)
- dev_delete_lvm_control_dev(initrc_t)
-+dev_delete_null(initrc_t)
- dev_manage_generic_symlinks(initrc_t)
- dev_manage_generic_files(initrc_t)
- # Wants to remove udev.tbl:
+@@ -299,6 +339,7 @@
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -29424,16 +29923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_exec_all_executables(initrc_t)
-@@ -310,7 +353,7 @@
- domain_sigchld_all_domains(initrc_t)
- domain_read_all_domains_state(initrc_t)
- domain_getattr_all_domains(initrc_t)
--domain_dontaudit_ptrace_all_domains(initrc_t)
-+domain_ptrace_all_domains(initrc_t)
- domain_getsession_all_domains(initrc_t)
- domain_use_interactive_fds(initrc_t)
- # for lsof which is used by alsa shutdown:
-@@ -325,8 +368,10 @@
+@@ -325,8 +366,10 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -29445,7 +29935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -342,6 +387,8 @@
+@@ -342,6 +385,8 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -29454,7 +29944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
-@@ -352,6 +399,11 @@
+@@ -352,6 +397,11 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -29466,7 +29956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -395,19 +447,22 @@
+@@ -395,15 +445,16 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -29485,13 +29975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
userdom_use_user_terminals(initrc_t)
-
-+usermanage_domtrans_passwd(initrc_t)
-+
- ifdef(`distro_debian',`
- dev_setattr_generic_dirs(initrc_t)
-
-@@ -471,7 +526,7 @@
+@@ -471,7 +522,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -29500,7 +29984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -517,6 +572,15 @@
+@@ -517,6 +568,15 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -29516,7 +30000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -542,6 +606,34 @@
+@@ -542,6 +602,34 @@
')
')
@@ -29551,7 +30035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -554,6 +646,8 @@
+@@ -554,6 +642,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -29560,7 +30044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -594,6 +688,7 @@
+@@ -594,6 +684,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -29568,7 +30052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -647,11 +742,6 @@
+@@ -647,11 +738,6 @@
')
optional_policy(`
@@ -29580,7 +30064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
kerberos_use(initrc_t)
')
-@@ -690,12 +780,18 @@
+@@ -690,12 +776,18 @@
')
optional_policy(`
@@ -29599,6 +30083,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
+@@ -718,6 +810,10 @@
+ ')
+
+ optional_policy(`
++ plymouthd_stream_connect(initrc_t)
++')
++
++optional_policy(`
+ postgresql_manage_db(initrc_t)
+ postgresql_read_config(initrc_t)
+ ')
@@ -760,8 +856,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29621,13 +30116,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -801,8 +897,14 @@
+@@ -790,6 +886,7 @@
+
+ optional_policy(`
+ udev_rw_db(initrc_t)
++ udev_delete_db(initrc_t)
+ udev_manage_pid_files(initrc_t)
+ ')
+
+@@ -801,8 +898,15 @@
virt_manage_svirt_cache(initrc_t)
')
+# Cron jobs used to start and stop services
+optional_policy(`
+ cron_rw_pipes(daemon)
++ cron_rw_inherited_user_spool_files(daemon)
+')
+
optional_policy(`
@@ -29636,7 +30140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -812,6 +914,25 @@
+@@ -812,6 +916,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29662,7 +30166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -837,3 +958,34 @@
+@@ -837,3 +960,34 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -30443,7 +30947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.15/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/system/logging.if 2010-03-18 11:49:56.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/logging.if 2010-03-18 16:11:19.000000000 -0400
@@ -715,7 +715,25 @@
')
@@ -30471,21 +30975,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -798,7 +816,9 @@
+@@ -798,7 +816,7 @@
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
- read_lnk_files_pattern($1, logfile, logfile)
+ manage_lnk_files_pattern($1, logfile, logfile)
-+ allow $1 logfile:dir { relabelfrom relabelto };
-+ allow $1 logfile:file { relabelfrom relabelto };
')
########################################
+@@ -996,6 +1014,8 @@
+ manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+
+ logging_manage_all_logs($1)
++ allow $1 logfile:dir { relabelfrom relabelto };
++ allow $1 logfile:file { relabelfrom relabelto };
+
+ init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.15/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.7.15/policy/modules/system/logging.te 2010-03-18 11:49:56.000000000 -0400
-@@ -180,6 +180,8 @@
++++ serefpolicy-3.7.15/policy/modules/system/logging.te 2010-03-19 11:57:04.000000000 -0400
+@@ -61,6 +61,7 @@
+ type syslogd_t;
+ type syslogd_exec_t;
+ init_daemon_domain(syslogd_t, syslogd_exec_t)
++mls_trusted_object(syslogd_t)
+
+ type syslogd_initrc_exec_t;
+ init_script_file(syslogd_initrc_exec_t)
+@@ -180,6 +181,8 @@
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -30494,7 +31013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
miscfiles_read_localization(auditd_t)
mls_file_read_all_levels(auditd_t)
-@@ -235,7 +237,11 @@
+@@ -235,7 +238,11 @@
files_read_etc_files(audisp_t)
files_read_etc_runtime_files(audisp_t)
@@ -30506,7 +31025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
logging_send_syslog_msg(audisp_t)
-@@ -245,6 +251,10 @@
+@@ -245,6 +252,10 @@
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -30517,7 +31036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -268,6 +278,8 @@
+@@ -268,6 +279,8 @@
logging_send_syslog_msg(audisp_remote_t)
@@ -30526,7 +31045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
miscfiles_read_localization(audisp_remote_t)
sysnet_dns_name_resolve(audisp_remote_t)
-@@ -491,6 +503,10 @@
+@@ -491,6 +504,10 @@
')
optional_policy(`
@@ -31232,7 +31751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.15/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/system/selinuxutil.if 2010-03-18 11:49:56.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/selinuxutil.if 2010-03-19 12:03:04.000000000 -0400
@@ -361,6 +361,27 @@
########################################
@@ -31611,7 +32130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.15/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/system/selinuxutil.te 2010-03-18 11:49:56.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/selinuxutil.te 2010-03-22 17:08:31.000000000 -0400
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -31702,13 +32221,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -270,12 +275,14 @@
+@@ -261,21 +266,17 @@
+ term_getattr_unallocated_ttys(newrole_t)
+ term_dontaudit_use_unallocated_ttys(newrole_t)
+
+-auth_use_nsswitch(newrole_t)
+-auth_domtrans_chk_passwd(newrole_t)
+-auth_domtrans_upd_passwd(newrole_t)
+-auth_rw_faillog(newrole_t)
++auth_use_pam(newrole_t)
+
+ # Write to utmp.
init_rw_utmp(newrole_t)
init_use_fds(newrole_t)
-+logging_send_audit_msgs(newrole_t)
- logging_send_syslog_msg(newrole_t)
-
+-logging_send_syslog_msg(newrole_t)
+-
miscfiles_read_localization(newrole_t)
seutil_libselinux_linked(newrole_t)
@@ -31717,7 +32245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# for some PAM modules and for cwd
userdom_dontaudit_search_user_home_content(newrole_t)
userdom_search_user_home_dirs(newrole_t)
-@@ -313,6 +320,8 @@
+@@ -313,6 +314,8 @@
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -31726,7 +32254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
-@@ -336,6 +345,8 @@
+@@ -336,6 +339,8 @@
seutil_libselinux_linked(restorecond_t)
@@ -31735,7 +32263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -354,7 +365,7 @@
+@@ -354,7 +359,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -31744,7 +32272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -383,7 +394,6 @@
+@@ -383,7 +388,6 @@
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
@@ -31752,7 +32280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
-@@ -406,6 +416,10 @@
+@@ -406,6 +410,10 @@
')
')
@@ -31763,7 +32291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -421,61 +435,22 @@
+@@ -421,61 +429,22 @@
# semodule local policy
#
@@ -31782,15 +32310,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
-kernel_read_kernel_sysctls(semanage_t)
-
-corecmd_exec_bin(semanage_t)
--
--dev_read_urand(semanage_t)
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
--domain_use_interactive_fds(semanage_t)
+-dev_read_urand(semanage_t)
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+-domain_use_interactive_fds(semanage_t)
+-
-files_read_etc_files(semanage_t)
-files_read_etc_runtime_files(semanage_t)
-files_read_usr_files(semanage_t)
@@ -31814,11 +32342,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
--
--miscfiles_read_localization(semanage_t)
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
+-miscfiles_read_localization(semanage_t)
+-
-seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
@@ -31833,7 +32361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -484,12 +459,23 @@
+@@ -484,12 +453,23 @@
files_read_var_lib_symlinks(semanage_t)
')
@@ -31857,7 +32385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -499,112 +485,43 @@
+@@ -499,112 +479,43 @@
userdom_read_user_tmp_files(semanage_t)
')
@@ -32251,7 +32779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.15/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/system/sysnetwork.if 2010-03-18 11:49:56.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/sysnetwork.if 2010-03-18 13:56:12.000000000 -0400
@@ -43,6 +43,41 @@
sysnet_domtrans_dhcpc($1)
@@ -32680,40 +33208,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.f
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.15/policy/modules/system/udev.if
--- nsaserefpolicy/policy/modules/system/udev.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/system/udev.if 2010-03-18 11:49:56.000000000 -0400
-@@ -20,6 +20,24 @@
++++ serefpolicy-3.7.15/policy/modules/system/udev.if 2010-03-18 14:17:36.000000000 -0400
+@@ -196,6 +196,25 @@
########################################
##
-+## Send kill signals to udev.
++## Allow process to delete list of devices.
+##
+##
+##
-+## Domain allowed access.
++## The type of the process performing this action.
+##
+##
+#
-+interface(`udev_kill',`
++interface(`udev_delete_db',`
+ gen_require(`
-+ type udev_t;
++ type udev_tbl_t;
+ ')
+
-+ allow $1 udev_t:process sigkill;
++ dev_list_all_dev_nodes($1)
++ allow $1 udev_tbl_t:file unlink;
+')
+
+########################################
+##
- ## Execute udev in the udev domain.
+ ## Create, read, write, and delete
+ ## udev pid files.
##
- ##
-@@ -192,6 +210,7 @@
-
- dev_list_all_dev_nodes($1)
- allow $1 udev_tbl_t:file rw_file_perms;
-+ allow $1 udev_tbl_t:file unlink;
- ')
-
- ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.15/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2010-03-18 06:48:09.000000000 -0400
+++ serefpolicy-3.7.15/policy/modules/system/udev.te 2010-03-18 11:49:56.000000000 -0400
@@ -33512,7 +34033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.15/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.15/policy/modules/system/userdomain.if 2010-03-18 11:49:56.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/userdomain.if 2010-03-22 15:37:43.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -33635,32 +34156,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- files_dontaudit_getattr_non_security_symlinks($1_t)
- files_dontaudit_getattr_non_security_pipes($1_t)
- files_dontaudit_getattr_non_security_sockets($1_t)
+-
+- libs_exec_ld_so($1_t)
+-
+- miscfiles_read_localization($1_t)
+- miscfiles_read_certs($1_t)
+-
+- sysnet_read_config($1_t)
+ files_dontaudit_getattr_all_dirs($1_usertype)
+ files_dontaudit_list_non_security($1_usertype)
+ files_dontaudit_getattr_all_files($1_usertype)
+ files_dontaudit_getattr_non_security_symlinks($1_usertype)
+ files_dontaudit_getattr_non_security_pipes($1_usertype)
+ files_dontaudit_getattr_non_security_sockets($1_usertype)
-
-- libs_exec_ld_so($1_t)
++
+ storage_rw_fuse($1_usertype)
-
-- miscfiles_read_localization($1_t)
-- miscfiles_read_certs($1_t)
++
+ auth_use_nsswitch($1_usertype)
-
-- sysnet_read_config($1_t)
++
+ libs_exec_ld_so($1_usertype)
-
-- tunable_policy(`allow_execmem',`
-- # Allow loading DSOs that require executable stack.
-- allow $1_t self:process execmem;
-- ')
++
+ miscfiles_read_certs($1_usertype)
+ miscfiles_read_localization($1_usertype)
+ miscfiles_read_man_pages($1_usertype)
+ miscfiles_read_public_files($1_usertype)
+- tunable_policy(`allow_execmem',`
+- # Allow loading DSOs that require executable stack.
+- allow $1_t self:process execmem;
+- ')
+-
- tunable_policy(`allow_execmem && allow_execstack',`
- # Allow making the stack executable via mprotect.
- allow $1_t self:process execstack;
@@ -34044,43 +34569,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ optional_policy(`
+ bluetooth_dbus_chat($1_usertype)
+ ')
-+
-+ optional_policy(`
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ gnome_dbus_chat_gconfdefault($1_usertype)
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ hal_dbus_chat($1_usertype)
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_var_lib_files($1_usertype)
++ gnome_dbus_chat_gconfdefault($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
++ hal_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_var_lib_files($1_usertype)
++ ')
++
++ optional_policy(`
+ vpnc_dbus_chat($1_usertype)
')
')
@@ -34196,7 +34721,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- userdom_manage_tmpfs_role($1_r, $1_t)
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
+
@@ -34207,9 +34734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -34614,7 +35139,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1272,11 +1419,15 @@
+@@ -1234,6 +1381,7 @@
+ seutil_run_checkpolicy($1,$2)
+ seutil_run_loadpolicy($1,$2)
+ seutil_run_semanage($1,$2)
++ seutil_run_setsebool($1,$2)
+ seutil_run_setfiles($1, $2)
+
+ optional_policy(`
+@@ -1272,11 +1420,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -34630,7 +35163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1387,6 +1538,7 @@
+@@ -1387,6 +1539,7 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -34638,7 +35171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_home($1)
')
-@@ -1433,6 +1585,14 @@
+@@ -1433,6 +1586,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -34653,7 +35186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1448,9 +1608,11 @@
+@@ -1448,9 +1609,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -34665,7 +35198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1507,6 +1669,42 @@
+@@ -1507,6 +1670,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -34708,7 +35241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
##
## Create directories in the home dir root with
-@@ -1581,6 +1779,8 @@
+@@ -1581,6 +1780,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -34717,7 +35250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1595,10 +1795,12 @@
+@@ -1595,10 +1796,12 @@
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -34732,7 +35265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1641,6 +1843,24 @@
+@@ -1641,6 +1844,24 @@
########################################
##
@@ -34757,7 +35290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1692,6 +1912,7 @@
+@@ -1692,6 +1913,7 @@
type user_home_dir_t, user_home_t;
')
@@ -34765,7 +35298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1708,11 +1929,14 @@
+@@ -1708,11 +1930,14 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -34783,7 +35316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1819,20 +2043,14 @@
+@@ -1819,20 +2044,14 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -34808,7 +35341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
##
-@@ -1866,6 +2084,7 @@
+@@ -1866,6 +2085,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -34816,7 +35349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2102,6 +2321,25 @@
+@@ -2102,6 +2322,25 @@
########################################
##
@@ -34842,7 +35375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to list user
## temporary directories.
##
-@@ -2218,6 +2456,25 @@
+@@ -2218,6 +2457,25 @@
########################################
##
@@ -34868,7 +35401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to manage users
## temporary files.
##
-@@ -2427,13 +2684,14 @@
+@@ -2427,13 +2685,14 @@
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -34884,7 +35417,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -2787,7 +3045,7 @@
+@@ -2454,6 +2713,24 @@
+
+ ########################################
+ ##
++## Delete user tmpfs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_user_tmpfs_files',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ allow $1 user_tmpfs_t:file delete_file_perms;
++')
++
++########################################
++##
+ ## Get the attributes of a user domain tty.
+ ##
+ ##
+@@ -2787,7 +3064,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -34893,7 +35451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2803,11 +3061,13 @@
+@@ -2803,11 +3080,13 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -34909,7 +35467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2944,7 +3204,7 @@
+@@ -2944,7 +3223,7 @@
type user_tmp_t;
')
@@ -34918,7 +35476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2981,6 +3241,7 @@
+@@ -2981,6 +3260,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -34926,7 +35484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3111,3 +3372,745 @@
+@@ -3111,3 +3391,745 @@
allow $1 userdomain:dbus send_msg;
')
@@ -35913,7 +36471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.15/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-03-04 11:44:07.000000000 -0500
-+++ serefpolicy-3.7.15/policy/support/obj_perm_sets.spt 2010-03-18 11:49:56.000000000 -0400
++++ serefpolicy-3.7.15/policy/support/obj_perm_sets.spt 2010-03-22 13:59:59.000000000 -0400
@@ -28,7 +28,7 @@
#
# All socket classes.
@@ -35923,6 +36481,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
#
+@@ -105,7 +105,7 @@
+ #
+ # Permissions for using sockets.
+ #
+-define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
++define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }')
+
+ #
+ # Permissions for creating and using sockets.
@@ -199,12 +199,14 @@
#
define(`getattr_file_perms',`{ getattr }')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3b87b5f..ddbff26 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.15
-Release: 1%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,15 @@ exit 0
%endif
%changelog
+* Mon Mar 22 2010 Dan Walsh 3.7.15-4
+- Add label for /var/lib/upower
+
+* Thu Mar 18 2010 Dan Walsh 3.7.15-3
+- make libvirt work on an MLS platform
+
+* Thu Mar 18 2010 Dan Walsh 3.7.15-2
+- Add qpidd policy
+
* Thu Mar 18 2010 Dan Walsh 3.7.15-1
- Update to upstream