diff --git a/policy-F14.patch b/policy-F14.patch index 868dd23..fa3d27d 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -1066,7 +1066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.8.7/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2010-07-14 11:21:53.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/admin/rpm.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/admin/rpm.te 2010-07-19 17:04:05.000000000 -0400 @@ -1,10 +1,11 @@ policy_module(rpm, 1.11.1) @@ -1113,7 +1113,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) -@@ -106,6 +112,7 @@ +@@ -100,12 +106,14 @@ + manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) + files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) + ++manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) + manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) +-files_pid_filetrans(rpm_t, rpm_var_run_t, file) ++files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir }) + kernel_read_network_state(rpm_t) kernel_read_system_state(rpm_t) kernel_read_kernel_sysctls(rpm_t) @@ -1121,7 +1129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te corecmd_exec_all_executables(rpm_t) -@@ -125,6 +132,8 @@ +@@ -125,6 +133,8 @@ dev_list_sysfs(rpm_t) dev_list_usbfs(rpm_t) dev_read_urand(rpm_t) @@ -1130,7 +1138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te fs_getattr_all_dirs(rpm_t) fs_list_inotifyfs(rpm_t) -@@ -205,6 +214,7 @@ +@@ -205,6 +215,7 @@ optional_policy(` networkmanager_dbus_chat(rpm_t) ') @@ -1138,7 +1146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') optional_policy(` -@@ -212,7 +222,7 @@ +@@ -212,7 +223,7 @@ ') optional_policy(` @@ -1147,7 +1155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te # yum-updatesd requires this unconfined_dbus_chat(rpm_t) unconfined_dbus_chat(rpm_script_t) -@@ -242,6 +252,8 @@ +@@ -242,6 +253,8 @@ allow rpm_script_t rpm_script_tmp_t:dir mounton; manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) @@ -1156,7 +1164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -@@ -254,6 +266,7 @@ +@@ -254,6 +267,7 @@ kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) kernel_read_network_state(rpm_script_t) @@ -1164,7 +1172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te kernel_read_software_raid_state(rpm_script_t) dev_list_sysfs(rpm_script_t) -@@ -301,6 +314,8 @@ +@@ -301,6 +315,8 @@ auth_relabel_shadow(rpm_script_t) corecmd_exec_all_executables(rpm_script_t) @@ -1173,7 +1181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -331,12 +346,15 @@ +@@ -331,12 +347,15 @@ seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -1189,7 +1197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') ') -@@ -366,8 +384,9 @@ +@@ -366,8 +385,9 @@ ') optional_policy(` @@ -1751,8 +1759,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.8.7/policy/modules/apps/execmem.fc --- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.7/policy/modules/apps/execmem.fc 2010-07-14 14:08:02.000000000 -0400 -@@ -0,0 +1,47 @@ ++++ serefpolicy-3.8.7/policy/modules/apps/execmem.fc 2010-07-19 11:58:29.000000000 -0400 +@@ -0,0 +1,48 @@ + +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -1760,6 +1768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. +/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/mutter -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/plasma-desktop -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -3048,7 +3057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te s + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.8.7/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2010-05-25 16:28:22.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/apps/java.fc 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/apps/java.fc 2010-07-19 11:22:49.000000000 -0400 @@ -9,6 +9,7 @@ # # /usr @@ -3057,11 +3066,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) -@@ -33,6 +34,8 @@ +@@ -33,6 +34,9 @@ /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) +/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) ++/opt/ibm(/.*)?/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + ifdef(`distro_redhat',` /usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) @@ -4321,6 +4331,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi +# Unconfined java local policy +# + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.8.7/policy/modules/apps/podsleuth.te +--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2010-07-14 11:21:53.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/apps/podsleuth.te 2010-07-19 10:50:32.000000000 -0400 +@@ -73,6 +73,7 @@ + sysnet_dns_name_resolve(podsleuth_t) + + userdom_signal_unpriv_users(podsleuth_t) ++userdom_signull_unpriv_users(podsleuth_t) + userdom_read_user_tmpfs_files(podsleuth_t) + + optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.8.7/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-07-14 11:21:53.000000000 -0400 +++ serefpolicy-3.8.7/policy/modules/apps/pulseaudio.if 2010-07-14 14:08:02.000000000 -0400 @@ -4337,7 +4358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.8.7/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-07-14 11:21:53.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/apps/pulseaudio.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/apps/pulseaudio.te 2010-07-19 17:04:41.000000000 -0400 @@ -44,6 +44,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) @@ -4346,6 +4367,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) +@@ -53,7 +54,7 @@ + manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) + manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) + manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) +-files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file }) ++files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir }) + + can_exec(pulseaudio_t, pulseaudio_exec_t) + @@ -94,11 +95,6 @@ miscfiles_read_localization(pulseaudio_t) @@ -6499,7 +6529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.8.7/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-06-08 10:35:48.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/kernel/devices.fc 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/kernel/devices.fc 2010-07-19 13:59:55.000000000 -0400 @@ -176,13 +176,12 @@ /etc/udev/devices -d gen_context(system_u:object_r:device_t,s0) @@ -6516,7 +6546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ifdef(`distro_redhat',` # originally from named.fc -@@ -191,3 +190,8 @@ +@@ -191,3 +190,9 @@ /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ') @@ -6525,6 +6555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device +# /sys +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) ++/sys/kernel/debug(/.*)? gen_context(system_u:object_r:debugfs_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.7/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2010-06-08 10:35:48.000000000 -0400 +++ serefpolicy-3.8.7/policy/modules/kernel/devices.if 2010-07-15 15:55:56.000000000 -0400 @@ -7557,7 +7588,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. typealias etc_runtime_t alias firstboot_rw_t; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.7/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-07-14 11:21:53.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/kernel/filesystem.if 2010-07-15 16:01:12.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/kernel/filesystem.if 2010-07-19 17:14:31.000000000 -0400 @@ -1233,7 +1233,7 @@ type cifs_t; ') @@ -7593,10 +7624,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ####################################### ## ## Create, read, write, and delete dirs -@@ -1923,6 +1942,43 @@ +@@ -1923,7 +1942,26 @@ ######################################## ## +-## Read and write hugetlbfs files. +## Get the attributes of an hugetlbfs +## filesystem; +## @@ -7616,6 +7648,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + +######################################## +## ++## R/W hugetlbfs files. + ## + ## + ## +@@ -1938,6 +1976,41 @@ + + rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) + ') ++######################################## ++## +## Manage hugetlbfs dirs. +## +## @@ -7634,10 +7676,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + +######################################## +## - ## Read and write hugetlbfs files. - ## - ## -@@ -1991,6 +2047,7 @@ ++## List hugetlbfs dirs ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_list_hugetlbfs',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ allow $1 hugetlbfs_t:dir list_dir_perms; ++') + + ######################################## + ## +@@ -1991,6 +2064,7 @@ ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -7645,7 +7702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2387,6 +2444,25 @@ +@@ -2387,6 +2461,25 @@ ######################################## ## @@ -7671,7 +7728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Append files ## on a NFS filesystem. ## -@@ -2441,7 +2517,7 @@ +@@ -2441,7 +2534,7 @@ type nfs_t; ') @@ -7680,7 +7737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2629,6 +2705,24 @@ +@@ -2629,6 +2722,24 @@ ######################################## ## @@ -7705,7 +7762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Read removable storage symbolic links. ## ## -@@ -2837,7 +2931,7 @@ +@@ -2837,7 +2948,7 @@ ######################################### ## ## Create, read, write, and delete symbolic links @@ -7714,7 +7771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## ## ## -@@ -3962,6 +4056,24 @@ +@@ -3962,6 +4073,24 @@ ######################################## ## @@ -7739,7 +7796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4654,3 +4766,24 @@ +@@ -4654,3 +4783,24 @@ typeattribute $1 filesystem_unconfined_type; ') @@ -10442,6 +10499,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise + +userdom_rw_semaphores(aisexec_t) +userdom_rw_unpriv_user_shared_mem(aisexec_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.8.7/policy/modules/services/amavis.te +--- nsaserefpolicy/policy/modules/services/amavis.te 2010-06-18 13:07:19.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/amavis.te 2010-07-19 16:29:32.000000000 -0400 +@@ -92,9 +92,10 @@ + logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir }) + + # pid file ++manage_dirs_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) + manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) + manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) +-files_pid_filetrans(amavis_t, amavis_var_run_t, { file sock_file }) ++files_pid_filetrans(amavis_t, amavis_var_run_t, { file sock_file dir }) + + kernel_read_kernel_sysctls(amavis_t) + # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl... diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.8.7/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2010-04-06 15:15:38.000000000 -0400 +++ serefpolicy-3.8.7/policy/modules/services/apache.fc 2010-07-14 14:08:02.000000000 -0400 @@ -11510,7 +11582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw fs_getattr_all_fs(arpwatch_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.8.7/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/asterisk.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/asterisk.te 2010-07-19 16:28:25.000000000 -0400 @@ -99,6 +99,7 @@ corenet_tcp_bind_generic_node(asterisk_t) corenet_udp_bind_generic_node(asterisk_t) @@ -11560,6 +11632,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah allow $1 avahi_t:dbus send_msg; allow avahi_t $1:dbus send_msg; ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.8.7/policy/modules/services/avahi.te +--- nsaserefpolicy/policy/modules/services/avahi.te 2010-06-18 13:07:19.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/avahi.te 2010-07-19 16:30:08.000000000 -0400 +@@ -37,10 +37,11 @@ + manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) + files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) + ++manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) + manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) + manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) + allow avahi_t avahi_var_run_t:dir setattr; +-files_pid_filetrans(avahi_t, avahi_var_run_t, file) ++files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file }) + + kernel_read_system_state(avahi_t) + kernel_read_kernel_sysctls(avahi_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.8.7/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2010-03-23 10:55:15.000000000 -0400 +++ serefpolicy-3.8.7/policy/modules/services/bind.if 2010-07-14 14:08:02.000000000 -0400 @@ -11585,6 +11673,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind files_list_pids($1) admin_pattern($1, named_var_run_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.8.7/policy/modules/services/bind.te +--- nsaserefpolicy/policy/modules/services/bind.te 2010-06-18 13:07:19.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/bind.te 2010-07-19 17:05:39.000000000 -0400 +@@ -89,9 +89,10 @@ + manage_files_pattern(named_t, named_tmp_t, named_tmp_t) + files_tmp_filetrans(named_t, named_tmp_t, { file dir }) + ++manage_dirs_pattern(named_t, named_var_run_t, named_var_run_t) + manage_files_pattern(named_t, named_var_run_t, named_var_run_t) + manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t) +-files_pid_filetrans(named_t, named_var_run_t, { file sock_file }) ++files_pid_filetrans(named_t, named_var_run_t, { file sock_file dir }) + + # read zone files + allow named_t named_zone_t:dir list_dir_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.8.7/policy/modules/services/bitlbee.te --- nsaserefpolicy/policy/modules/services/bitlbee.te 2010-06-18 13:07:19.000000000 -0400 +++ serefpolicy-3.8.7/policy/modules/services/bitlbee.te 2010-07-14 14:08:02.000000000 -0400 @@ -12262,6 +12365,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach +fs_getattr_xattr_fs(cachefiles_kernel_t) + +dev_search_sysfs(cachefiles_kernel_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.te serefpolicy-3.8.7/policy/modules/services/canna.te +--- nsaserefpolicy/policy/modules/services/canna.te 2010-06-18 13:07:19.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/canna.te 2010-07-19 16:30:26.000000000 -0400 +@@ -42,9 +42,10 @@ + manage_lnk_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) + files_var_lib_filetrans(canna_t, canna_var_lib_t, file) + ++manage_dirs_pattern(canna_t, canna_var_run_t, canna_var_run_t) + manage_files_pattern(canna_t, canna_var_run_t, canna_var_run_t) + manage_sock_files_pattern(canna_t, canna_var_run_t, canna_var_run_t) +-files_pid_filetrans(canna_t, canna_var_run_t, { file sock_file }) ++files_pid_filetrans(canna_t, canna_var_run_t, { dir file sock_file }) + + kernel_read_kernel_sysctls(canna_t) + kernel_read_system_state(canna_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.8.7/policy/modules/services/ccs.te --- nsaserefpolicy/policy/modules/services/ccs.te 2010-06-18 13:07:19.000000000 -0400 +++ serefpolicy-3.8.7/policy/modules/services/ccs.te 2010-07-14 14:08:02.000000000 -0400 @@ -13437,6 +13555,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro ') optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.8.7/policy/modules/services/courier.if +--- nsaserefpolicy/policy/modules/services/courier.if 2010-01-11 09:40:36.000000000 -0500 ++++ serefpolicy-3.8.7/policy/modules/services/courier.if 2010-07-19 17:00:47.000000000 -0400 +@@ -38,10 +38,12 @@ + read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t) + allow courier_$1_t courier_etc_t:dir list_dir_perms; + ++ manage_dirs_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) + manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) + manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) + manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t) + files_search_pids(courier_$1_t) ++ files_pid_filetrans(courier_$1_t, courier_var_run_t, dir) + + kernel_read_system_state(courier_$1_t) + kernel_read_kernel_sysctls(courier_$1_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.8.7/policy/modules/services/courier.te --- nsaserefpolicy/policy/modules/services/courier.te 2010-07-14 11:21:53.000000000 -0400 +++ serefpolicy-3.8.7/policy/modules/services/courier.te 2010-07-14 14:08:02.000000000 -0400 @@ -13987,7 +14121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.8.7/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/cups.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/cups.te 2010-07-19 16:32:46.000000000 -0400 @@ -15,6 +15,7 @@ type cupsd_t; type cupsd_exec_t; @@ -14012,7 +14146,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) allow cupsd_t cupsd_log_t:dir setattr; logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) -@@ -297,8 +300,10 @@ +@@ -147,10 +150,11 @@ + files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) + + allow cupsd_t cupsd_var_run_t:dir setattr; ++manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) + manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) + manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) + manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) +-files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file }) ++files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir file fifo_file }) + + allow cupsd_t hplip_t:process { signal sigkill }; + +@@ -297,8 +301,10 @@ hal_dbus_chat(cupsd_t) ') @@ -14023,7 +14170,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') ') -@@ -425,6 +430,7 @@ +@@ -371,8 +377,9 @@ + + allow cupsd_config_t cupsd_var_run_t:file read_file_perms; + ++manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) + manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) +-files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) ++files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) + + domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) + +@@ -425,6 +432,7 @@ userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -14031,7 +14189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cups_stream_connect(cupsd_config_t) -@@ -453,6 +459,10 @@ +@@ -453,6 +461,10 @@ ') optional_policy(` @@ -14042,7 +14200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -587,13 +597,18 @@ +@@ -587,13 +599,18 @@ miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -14070,6 +14228,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.te serefpolicy-3.8.7/policy/modules/services/cyphesis.te +--- nsaserefpolicy/policy/modules/services/cyphesis.te 2010-06-18 13:07:19.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/cyphesis.te 2010-07-19 16:33:20.000000000 -0400 +@@ -36,9 +36,10 @@ + allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms; + files_tmp_filetrans(cyphesis_t, cyphesis_tmp_t, file) + ++manage_dirs_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) + manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) + manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) +-files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { file sock_file }) ++files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { dir file sock_file }) + + kernel_read_system_state(cyphesis_t) + kernel_read_kernel_sysctls(cyphesis_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.8.7/policy/modules/services/cyrus.te --- nsaserefpolicy/policy/modules/services/cyrus.te 2010-06-18 13:07:19.000000000 -0400 +++ serefpolicy-3.8.7/policy/modules/services/cyrus.te 2010-07-14 14:08:02.000000000 -0400 @@ -14172,16 +14345,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.8.7/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/dbus.te 2010-07-14 14:08:02.000000000 -0400 -@@ -121,6 +121,7 @@ ++++ serefpolicy-3.8.7/policy/modules/services/dbus.te 2010-07-19 17:03:13.000000000 -0400 +@@ -74,9 +74,10 @@ + + read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + ++manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) + manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) + manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) +-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file) ++files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir }) + + kernel_read_system_state(system_dbusd_t) + kernel_read_kernel_sysctls(system_dbusd_t) +@@ -121,7 +122,9 @@ init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) +init_bin_domtrans_spec(system_dbusd_t) init_domtrans_script(system_dbusd_t) ++init_rw_stream_sockets(system_dbusd_t) logging_send_audit_msgs(system_dbusd_t) -@@ -141,7 +142,15 @@ + logging_send_syslog_msg(system_dbusd_t) +@@ -141,7 +144,15 @@ ') optional_policy(` @@ -14198,7 +14385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) ') -@@ -158,5 +167,12 @@ +@@ -158,5 +169,12 @@ # # Unconfined access to this module # @@ -14212,6 +14399,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + xserver_rw_xdm_pipes(session_bus_type) + xserver_append_xdm_home_files(session_bus_type) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.8.7/policy/modules/services/dcc.te +--- nsaserefpolicy/policy/modules/services/dcc.te 2010-06-18 13:07:19.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/dcc.te 2010-07-19 17:01:10.000000000 -0400 +@@ -231,8 +231,9 @@ + manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t) + files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir }) + ++manage_dirs_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t) + manage_files_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t) +-files_pid_filetrans(dccd_t, dccd_var_run_t, file) ++files_pid_filetrans(dccd_t, dccd_var_run_t, { file dir }) + + kernel_read_system_state(dccd_t) + kernel_read_kernel_sysctls(dccd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.8.7/policy/modules/services/denyhosts.te --- nsaserefpolicy/policy/modules/services/denyhosts.te 2010-06-18 13:07:19.000000000 -0400 +++ serefpolicy-3.8.7/policy/modules/services/denyhosts.te 2010-07-14 14:08:02.000000000 -0400 @@ -14330,7 +14531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.8.7/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/dnsmasq.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/dnsmasq.te 2010-07-19 16:35:56.000000000 -0400 @@ -92,7 +92,11 @@ userdom_dontaudit_search_user_home_dirs(dnsmasq_t) @@ -14402,7 +14603,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.8.7/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/dovecot.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/dovecot.te 2010-07-19 16:36:15.000000000 -0400 @@ -58,7 +58,7 @@ allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot }; @@ -14412,7 +14613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove allow dovecot_t self:fifo_file rw_fifo_file_perms; allow dovecot_t self:tcp_socket create_stream_socket_perms; allow dovecot_t self:unix_dgram_socket create_socket_perms; -@@ -94,6 +94,7 @@ +@@ -94,10 +94,11 @@ manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) @@ -14420,6 +14621,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) +-files_pid_filetrans(dovecot_t, dovecot_var_run_t, file) ++files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file }) + + kernel_read_kernel_sysctls(dovecot_t) + kernel_read_system_state(dovecot_t) @@ -242,6 +243,7 @@ ') @@ -14618,6 +14824,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail +optional_policy(` iptables_domtrans(fail2ban_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.8.7/policy/modules/services/fetchmail.te +--- nsaserefpolicy/policy/modules/services/fetchmail.te 2010-06-18 13:07:19.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/fetchmail.te 2010-07-19 16:37:35.000000000 -0400 +@@ -37,8 +37,9 @@ + allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms; + mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file) + ++manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) + manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) +-files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, file) ++files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file }) + + kernel_read_kernel_sysctls(fetchmail_t) + kernel_list_proc(fetchmail_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.8.7/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 2010-06-18 13:07:19.000000000 -0400 +++ serefpolicy-3.8.7/policy/modules/services/fprintd.te 2010-07-14 14:08:02.000000000 -0400 @@ -14627,6 +14847,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri policykit_domtrans_auth(fprintd_t) + policykit_dbus_chat_auth(fprintd_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.8.7/policy/modules/services/ftp.fc +--- nsaserefpolicy/policy/modules/services/ftp.fc 2010-05-25 16:28:22.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/ftp.fc 2010-07-19 11:30:17.000000000 -0400 +@@ -29,3 +29,4 @@ + /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) + /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) + /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) ++/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.8.7/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2010-06-18 13:07:19.000000000 -0400 +++ serefpolicy-3.8.7/policy/modules/services/ftp.te 2010-07-14 14:08:02.000000000 -0400 @@ -15714,7 +15942,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.8.7/policy/modules/services/inn.te --- nsaserefpolicy/policy/modules/services/inn.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/inn.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/inn.te 2010-07-19 16:39:14.000000000 -0400 +@@ -56,7 +56,7 @@ + manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t) + manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) + manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) +-files_pid_filetrans(innd_t, innd_var_run_t, file) ++files_pid_filetrans(innd_t, innd_var_run_t, { dir file }) + + manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) + manage_files_pattern(innd_t, news_spool_t, news_spool_t) @@ -105,6 +105,7 @@ userdom_dontaudit_use_unpriv_user_fds(innd_t) @@ -15935,7 +16172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.8.7/policy/modules/services/ldap.te --- nsaserefpolicy/policy/modules/services/ldap.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/ldap.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/ldap.te 2010-07-19 16:35:22.000000000 -0400 @@ -27,9 +27,15 @@ type slapd_replog_t; files_type(slapd_replog_t) @@ -15952,7 +16189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap type slapd_var_run_t; files_pid_file(slapd_var_run_t) -@@ -67,10 +73,17 @@ +@@ -67,13 +73,21 @@ manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) @@ -15967,12 +16204,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap +manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t) +fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t,file) + ++manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) - files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file }) +-files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file }) ++files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) + + kernel_read_system_state(slapd_t) + kernel_read_kernel_sysctls(slapd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.8.7/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/lircd.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/lircd.te 2010-07-19 17:06:15.000000000 -0400 @@ -24,6 +24,7 @@ # @@ -15981,6 +16223,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc allow lircd_t self:fifo_file rw_fifo_file_perms; allow lircd_t self:unix_dgram_socket create_socket_perms; allow lircd_t self:tcp_socket create_stream_socket_perms; +@@ -34,7 +35,7 @@ + manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) + manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) + manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) +-files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file }) ++files_pid_filetrans(lircd_t, lircd_var_run_t, { file dir }) + # /dev/lircd socket + dev_filetrans(lircd_t, lircd_var_run_t, sock_file) + @@ -44,7 +45,7 @@ corenet_tcp_sendrecv_all_ports(lircd_t) corenet_tcp_connect_lirc_port(lircd_t) @@ -15992,8 +16243,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc dev_rw_lirc(lircd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.te serefpolicy-3.8.7/policy/modules/services/lpd.te --- nsaserefpolicy/policy/modules/services/lpd.te 2010-07-14 11:21:53.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/lpd.te 2010-07-14 14:08:02.000000000 -0400 -@@ -308,12 +308,14 @@ ++++ serefpolicy-3.8.7/policy/modules/services/lpd.te 2010-07-19 16:40:19.000000000 -0400 +@@ -145,9 +145,10 @@ + manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) + files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) + ++manage_dirs_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) + manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) + manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) +-files_pid_filetrans(lpd_t, lpd_var_run_t, file) ++files_pid_filetrans(lpd_t, lpd_var_run_t, { dir file }) + + # Write to /var/spool/lpd. + manage_files_pattern(lpd_t, print_spool_t, print_spool_t) +@@ -308,12 +309,14 @@ ') tunable_policy(`use_nfs_home_dirs',` @@ -17064,7 +17327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ## Append to the munin log. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.8.7/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/munin.te 2010-07-14 14:15:45.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/munin.te 2010-07-19 17:05:50.000000000 -0400 @@ -40,7 +40,7 @@ # Local policy # @@ -17074,7 +17337,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni dontaudit munin_t self:capability sys_tty_config; allow munin_t self:process { getsched setsched signal_perms }; allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -145,6 +145,7 @@ +@@ -71,9 +71,10 @@ + manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) + files_search_var_lib(munin_t) + ++manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) + manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) + manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) +-files_pid_filetrans(munin_t, munin_var_run_t, file) ++files_pid_filetrans(munin_t, munin_var_run_t, { file dir }) + + kernel_read_system_state(munin_t) + kernel_read_network_state(munin_t) +@@ -145,6 +146,7 @@ optional_policy(` mta_read_config(munin_t) mta_send_mail(munin_t) @@ -17082,7 +17357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni mta_read_queue(munin_t) ') -@@ -159,6 +160,7 @@ +@@ -159,6 +161,7 @@ optional_policy(` postfix_list_spool(munin_t) @@ -17090,7 +17365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ') optional_policy(` -@@ -182,6 +184,7 @@ +@@ -182,6 +185,7 @@ # local policy for disk plugins # @@ -17098,7 +17373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) -@@ -195,10 +198,11 @@ +@@ -195,10 +199,11 @@ fs_getattr_all_fs(disk_munin_plugin_t) @@ -17111,7 +17386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni sysnet_read_config(disk_munin_plugin_t) -@@ -229,11 +233,13 @@ +@@ -229,11 +234,13 @@ mta_read_config(mail_munin_plugin_t) mta_send_mail(mail_munin_plugin_t) @@ -17125,7 +17400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ') optional_policy(` -@@ -249,6 +255,8 @@ +@@ -249,6 +256,8 @@ allow services_munin_plugin_t self:udp_socket create_socket_perms; allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; @@ -17134,7 +17409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni corenet_tcp_connect_all_ports(services_munin_plugin_t) corenet_tcp_connect_http_port(services_munin_plugin_t) -@@ -286,6 +294,10 @@ +@@ -286,6 +295,10 @@ snmp_read_snmp_var_lib_files(services_munin_plugin_t) ') @@ -17145,7 +17420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ################################## # # local policy for system plugins -@@ -300,6 +312,8 @@ +@@ -300,6 +313,8 @@ corecmd_exec_shell(system_munin_plugin_t) @@ -17154,7 +17429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni fs_getattr_all_fs(system_munin_plugin_t) dev_read_sysfs(system_munin_plugin_t) -@@ -313,3 +327,5 @@ +@@ -313,3 +328,5 @@ sysnet_exec_ifconfig(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t) @@ -17162,7 +17437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.8.7/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/mysql.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/mysql.te 2010-07-19 16:42:39.000000000 -0400 @@ -64,6 +64,7 @@ manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) @@ -17171,7 +17446,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) -@@ -156,6 +157,7 @@ +@@ -78,9 +79,10 @@ + manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) + files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) + ++manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) + manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) + manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) +-files_pid_filetrans(mysqld_t, mysqld_var_run_t, { file sock_file }) ++files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) + + kernel_read_system_state(mysqld_t) + kernel_read_kernel_sysctls(mysqld_t) +@@ -156,6 +158,7 @@ allow mysqld_safe_t self:capability { chown dac_override fowner kill }; dontaudit mysqld_safe_t self:capability sys_ptrace; allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; @@ -17179,7 +17466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -@@ -175,6 +177,7 @@ +@@ -175,6 +178,7 @@ domain_read_all_domains_state(mysqld_safe_t) @@ -17492,7 +17779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.8.7/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/nscd.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/nscd.te 2010-07-19 17:05:32.000000000 -0400 @@ -1,9 +1,16 @@ -policy_module(nscd, 1.10.0) +policy_module(nscd, 1.10.1) @@ -17520,7 +17807,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd dontaudit nscd_t self:capability sys_tty_config; allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; allow nscd_t self:fifo_file read_fifo_file_perms; -@@ -90,6 +97,7 @@ +@@ -47,9 +54,10 @@ + allow nscd_t nscd_log_t:file manage_file_perms; + logging_log_filetrans(nscd_t, nscd_log_t, file) + ++manage_dirs_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) + manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) + manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) +-files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) ++files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file dir }) + + corecmd_search_bin(nscd_t) + can_exec(nscd_t, nscd_exec_t) +@@ -90,6 +98,7 @@ selinux_compute_relabel_context(nscd_t) selinux_compute_user_contexts(nscd_t) domain_use_interactive_fds(nscd_t) @@ -17528,7 +17827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd files_read_etc_files(nscd_t) files_read_generic_tmp_symlinks(nscd_t) -@@ -112,6 +120,10 @@ +@@ -112,6 +121,10 @@ userdom_dontaudit_search_user_home_dirs(nscd_t) optional_policy(` @@ -17539,7 +17838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd cron_read_system_job_tmp_files(nscd_t) ') -@@ -127,3 +139,16 @@ +@@ -127,3 +140,16 @@ xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') @@ -17586,7 +17885,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.8.7/policy/modules/services/nut.te --- nsaserefpolicy/policy/modules/services/nut.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/nut.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/nut.te 2010-07-19 17:05:24.000000000 -0400 +@@ -41,7 +41,7 @@ + manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) + manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) + manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) +-files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file }) ++files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file dir }) + + kernel_read_kernel_sysctls(nut_upsd_t) + @@ -103,6 +103,10 @@ mta_send_mail(nut_upsmon_t) @@ -17677,9 +17985,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oide logging_send_syslog_msg(oidentd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.8.7/policy/modules/services/openct.te +--- nsaserefpolicy/policy/modules/services/openct.te 2010-06-18 13:07:19.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/openct.te 2010-07-19 17:05:19.000000000 -0400 +@@ -20,9 +20,10 @@ + dontaudit openct_t self:capability sys_tty_config; + allow openct_t self:process signal_perms; + ++manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t) + manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) + manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) +-files_pid_filetrans(openct_t, openct_var_run_t, { file sock_file }) ++files_pid_filetrans(openct_t, openct_var_run_t, { file sock_file dir }) + + kernel_read_kernel_sysctls(openct_t) + kernel_list_proc(openct_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.8.7/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/openvpn.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/openvpn.te 2010-07-19 16:44:56.000000000 -0400 @@ -24,6 +24,9 @@ type openvpn_etc_rw_t; files_config_file(openvpn_etc_rw_t) @@ -17690,7 +18013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open type openvpn_initrc_exec_t; init_script_file(openvpn_initrc_exec_t) -@@ -58,6 +61,9 @@ +@@ -58,9 +61,13 @@ manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t) filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) @@ -17700,7 +18023,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open allow openvpn_t openvpn_var_log_t:file manage_file_perms; logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) -@@ -113,6 +119,7 @@ ++manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) + manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) + files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir }) + +@@ -113,6 +120,7 @@ sysnet_etc_filetrans_config(openvpn_t) userdom_use_user_terminals(openvpn_t) @@ -17710,7 +18037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open userdom_read_user_home_content_files(openvpn_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.8.7/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/pegasus.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/pegasus.te 2010-07-19 17:05:12.000000000 -0400 @@ -29,7 +29,7 @@ # Local policy # @@ -17720,7 +18047,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega dontaudit pegasus_t self:capability sys_tty_config; allow pegasus_t self:process signal; allow pegasus_t self:fifo_file rw_fifo_file_perms; -@@ -65,6 +65,8 @@ +@@ -57,14 +57,17 @@ + files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir }) + + allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink }; ++manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) + manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) +-files_pid_filetrans(pegasus_t, pegasus_var_run_t, file) ++files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir }) + + kernel_read_kernel_sysctls(pegasus_t) + kernel_read_fs_sysctls(pegasus_t) kernel_read_system_state(pegasus_t) kernel_search_vm_sysctl(pegasus_t) kernel_read_net_sysctls(pegasus_t) @@ -17729,7 +18066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega corenet_all_recvfrom_unlabeled(pegasus_t) corenet_all_recvfrom_netlabel(pegasus_t) -@@ -95,13 +97,12 @@ +@@ -95,13 +98,12 @@ auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -17745,7 +18082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega files_read_var_lib_symlinks(pegasus_t) hostname_exec(pegasus_t) -@@ -114,7 +115,6 @@ +@@ -114,7 +116,6 @@ miscfiles_read_localization(pegasus_t) @@ -17753,7 +18090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega sysnet_domtrans_ifconfig(pegasus_t) userdom_dontaudit_use_unpriv_user_fds(pegasus_t) -@@ -125,6 +125,14 @@ +@@ -125,6 +126,14 @@ ') optional_policy(` @@ -17768,7 +18105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega seutil_sigchld_newrole(pegasus_t) seutil_dontaudit_read_config(pegasus_t) ') -@@ -136,3 +144,13 @@ +@@ -136,3 +145,13 @@ optional_policy(` unconfined_signull(pegasus_t) ') @@ -18587,7 +18924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.8.7/policy/modules/services/portreserve.te --- nsaserefpolicy/policy/modules/services/portreserve.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/portreserve.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/portreserve.te 2010-07-19 17:05:04.000000000 -0400 @@ -9,6 +9,9 @@ type portreserve_exec_t; init_daemon_domain(portreserve_t, portreserve_exec_t) @@ -18598,6 +18935,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port type portreserve_etc_t; files_type(portreserve_etc_t) +@@ -35,7 +38,7 @@ + manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) + manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) + manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) +-files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file }) ++files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }) + + corecmd_getattr_bin_files(portreserve_t) + @@ -47,3 +50,5 @@ corenet_udp_bind_all_ports(portreserve_t) @@ -18989,9 +19335,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.8.7/policy/modules/services/postgresql.te +--- nsaserefpolicy/policy/modules/services/postgresql.te 2010-06-18 13:07:19.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/postgresql.te 2010-07-19 17:04:59.000000000 -0400 +@@ -202,9 +202,10 @@ + files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) + fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) + ++manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) + manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) + manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) +-files_pid_filetrans(postgresql_t, postgresql_var_run_t, file) ++files_pid_filetrans(postgresql_t, postgresql_var_run_t, { file dir }) + + kernel_read_kernel_sysctls(postgresql_t) + kernel_read_system_state(postgresql_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.8.7/policy/modules/services/postgrey.te +--- nsaserefpolicy/policy/modules/services/postgrey.te 2010-06-18 13:07:19.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/postgrey.te 2010-07-19 17:04:54.000000000 -0400 +@@ -47,9 +47,10 @@ + manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) + files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) + ++manage_dirs_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) + manage_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) + manage_sock_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) +-files_pid_filetrans(postgrey_t, postgrey_var_run_t, { file sock_file }) ++files_pid_filetrans(postgrey_t, postgrey_var_run_t, { file sock_file dir }) + + kernel_read_system_state(postgrey_t) + kernel_read_kernel_sysctls(postgrey_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.8.7/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/ppp.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/ppp.te 2010-07-19 17:04:50.000000000 -0400 @@ -70,7 +70,7 @@ # PPPD Local policy # @@ -19001,7 +19377,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. dontaudit pppd_t self:capability sys_tty_config; allow pppd_t self:process { getsched signal }; allow pppd_t self:fifo_file rw_fifo_file_perms; -@@ -194,6 +194,8 @@ +@@ -104,8 +104,9 @@ + manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) + files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) + ++manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) + manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) +-files_pid_filetrans(pppd_t, pppd_var_run_t, file) ++files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file }) + + allow pppd_t pptp_t:process signal; + +@@ -194,6 +195,8 @@ optional_policy(` mta_send_mail(pppd_t) @@ -19010,6 +19397,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') optional_policy(` +@@ -243,9 +246,10 @@ + allow pptp_t pptp_log_t:file manage_file_perms; + logging_log_filetrans(pptp_t, pptp_log_t, file) + ++manage_dirs_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) + manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) + manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) +-files_pid_filetrans(pptp_t, pptp_var_run_t, file) ++files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir }) + + kernel_list_proc(pptp_t) + kernel_read_kernel_sysctls(pptp_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.8.7/policy/modules/services/prelude.te +--- nsaserefpolicy/policy/modules/services/prelude.te 2010-07-14 11:21:53.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/prelude.te 2010-07-19 16:48:25.000000000 -0400 +@@ -72,9 +72,10 @@ + manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) + files_search_var_lib(prelude_t) + ++manage_dirs_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) + manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) + manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) +-files_pid_filetrans(prelude_t, prelude_var_run_t, file) ++files_pid_filetrans(prelude_t, prelude_var_run_t, { dir file }) + + kernel_read_system_state(prelude_t) + kernel_read_sysctl(prelude_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.8.7/policy/modules/services/procmail.fc --- nsaserefpolicy/policy/modules/services/procmail.fc 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.8.7/policy/modules/services/procmail.fc 2010-07-14 14:08:02.000000000 -0400 @@ -19138,8 +19552,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad allow $1 psad_t:process { ptrace signal_perms }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.8.7/policy/modules/services/psad.te --- nsaserefpolicy/policy/modules/services/psad.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/psad.te 2010-07-14 14:08:02.000000000 -0400 -@@ -85,6 +85,7 @@ ++++ serefpolicy-3.8.7/policy/modules/services/psad.te 2010-07-19 16:48:51.000000000 -0400 +@@ -53,9 +53,10 @@ + logging_log_filetrans(psad_t, psad_var_log_t, { file dir }) + + # pid file ++manage_dirs_pattern(psad_t, psad_var_run_t, psad_var_run_t) + manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t) + manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t) +-files_pid_filetrans(psad_t, psad_var_run_t, { file sock_file }) ++files_pid_filetrans(psad_t, psad_var_run_t, { dir file sock_file }) + + # tmp files + manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t) +@@ -85,6 +86,7 @@ dev_read_urand(psad_t) files_read_etc_runtime_files(psad_t) @@ -19149,7 +19575,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.8.7/policy/modules/services/puppet.te --- nsaserefpolicy/policy/modules/services/puppet.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/puppet.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/puppet.te 2010-07-19 16:50:44.000000000 -0400 +@@ -63,7 +63,7 @@ + manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) + files_search_var_lib(puppet_t) + +-setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) ++manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) + manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) + files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) + @@ -221,6 +221,8 @@ sysnet_dns_name_resolve(puppetmaster_t) sysnet_run_ifconfig(puppetmaster_t, system_r) @@ -19612,7 +20047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid +sysnet_dns_name_resolve(qpidd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.8.7/policy/modules/services/radius.te --- nsaserefpolicy/policy/modules/services/radius.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/radius.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/radius.te 2010-07-19 17:04:27.000000000 -0400 @@ -36,7 +36,7 @@ # gzip also needs chown access to preserve GID for radwtmp files allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; @@ -19622,6 +20057,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi allow radiusd_t self:fifo_file rw_fifo_file_perms; allow radiusd_t self:unix_stream_socket create_stream_socket_perms; allow radiusd_t self:tcp_socket create_stream_socket_perms; +@@ -59,8 +59,9 @@ + manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) + + manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) ++manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) + manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) +-files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file }) ++files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) + + kernel_read_kernel_sysctls(radiusd_t) + kernel_read_system_state(radiusd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.8.7/policy/modules/services/radvd.te +--- nsaserefpolicy/policy/modules/services/radvd.te 2010-06-18 13:07:19.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/radvd.te 2010-07-19 17:04:23.000000000 -0400 +@@ -33,8 +33,9 @@ + + allow radvd_t radvd_etc_t:file read_file_perms; + ++manage_dirs_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t) + manage_files_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t) +-files_pid_filetrans(radvd_t, radvd_var_run_t, file) ++files_pid_filetrans(radvd_t, radvd_var_run_t, { file dir }) + + kernel_read_kernel_sysctls(radvd_t) + kernel_rw_net_sysctls(radvd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.8.7/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.8.7/policy/modules/services/razor.fc 2010-07-14 14:08:02.000000000 -0400 @@ -19820,7 +20280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.8.7/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/rgmanager.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/rgmanager.te 2010-07-19 17:04:17.000000000 -0400 @@ -17,6 +17,9 @@ domain_type(rgmanager_t) init_daemon_domain(rgmanager_t, rgmanager_exec_t) @@ -19831,9 +20291,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma type rgmanager_tmp_t; files_tmp_file(rgmanager_tmp_t) -@@ -59,7 +62,9 @@ +@@ -55,11 +58,14 @@ + manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t) + logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file }) + ++manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) + manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) - files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file }) +-files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file }) ++files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file dir }) +kernel_kill(rgmanager_t) kernel_read_kernel_sysctls(rgmanager_t) @@ -19841,7 +20307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma kernel_read_system_state(rgmanager_t) kernel_rw_rpc_sysctls(rgmanager_t) kernel_search_debugfs(rgmanager_t) -@@ -78,14 +83,19 @@ +@@ -78,14 +84,19 @@ domain_getattr_all_domains(rgmanager_t) domain_dontaudit_ptrace_all_domains(rgmanager_t) @@ -19862,7 +20328,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma storage_getattr_fixed_disk_dev(rgmanager_t) term_getattr_pty_fs(rgmanager_t) -@@ -140,6 +150,11 @@ +@@ -140,6 +151,11 @@ ') optional_policy(` @@ -20299,8 +20765,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.8.7/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/rpc.te 2010-07-14 14:08:02.000000000 -0400 -@@ -97,15 +97,26 @@ ++++ serefpolicy-3.8.7/policy/modules/services/rpc.te 2010-07-19 17:04:13.000000000 -0400 +@@ -63,8 +63,9 @@ + allow rpcd_t self:fifo_file rw_fifo_file_perms; + + allow rpcd_t rpcd_var_run_t:dir setattr; ++manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) + manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) +-files_pid_filetrans(rpcd_t, rpcd_var_run_t, file) ++files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir }) + + # rpc.statd executes sm-notify + can_exec(rpcd_t, rpcd_exec_t) +@@ -97,15 +98,26 @@ seutil_dontaudit_search_config(rpcd_t) @@ -20327,7 +20804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ######################################## # # NFSD local policy -@@ -120,6 +131,7 @@ +@@ -120,6 +132,7 @@ kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) kernel_dontaudit_getattr_core_if(nfsd_t) @@ -20335,7 +20812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) -@@ -160,6 +172,7 @@ +@@ -160,6 +173,7 @@ fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) ') @@ -20343,7 +20820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. tunable_policy(`nfs_export_all_ro',` dev_getattr_all_blk_files(nfsd_t) -@@ -218,6 +231,8 @@ +@@ -218,6 +232,8 @@ userdom_list_user_tmp(gssd_t) userdom_read_user_tmp_files(gssd_t) userdom_read_user_tmp_symlinks(gssd_t) @@ -20720,7 +21197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.8.7/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/samba.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/samba.te 2010-07-19 16:58:05.000000000 -0400 @@ -152,9 +152,6 @@ type winbind_log_t; logging_log_file(winbind_log_t) @@ -20731,6 +21208,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type winbind_var_run_t; files_pid_file(winbind_var_run_t) +@@ -230,7 +227,7 @@ + # + # smbd Local policy + # +-allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; ++allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; + dontaudit smbd_t self:capability sys_tty_config; + allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow smbd_t self:process setrlimit; +@@ -279,7 +276,7 @@ + manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) + manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) + manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) +-files_pid_filetrans(smbd_t, smbd_var_run_t, file) ++files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file }) + + allow smbd_t swat_t:process signal; + @@ -323,6 +320,7 @@ dev_getattr_all_chr_files(smbd_t) @@ -20773,7 +21268,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # -@@ -567,6 +560,7 @@ +@@ -484,8 +477,9 @@ + allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; + allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + ++manage_dirs_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) + manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) +-files_pid_filetrans(nmbd_t, nmbd_var_run_t, file) ++files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file }) + + read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) + read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -567,6 +561,7 @@ allow smbcontrol_t winbind_t:process { signal signull }; @@ -20781,7 +21287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -692,6 +686,7 @@ +@@ -692,6 +687,7 @@ manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -20789,7 +21295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_exec_t:file mmap_file_perms ; -@@ -754,6 +749,8 @@ +@@ -754,6 +750,8 @@ miscfiles_read_localization(swat_t) @@ -20798,7 +21304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -806,10 +803,9 @@ +@@ -806,14 +804,14 @@ allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -20810,9 +21316,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +userdom_manage_user_tmp_files(winbind_t) +userdom_tmp_filetrans_user_tmp(winbind_t, { file dir }) ++manage_dirs_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) -@@ -833,6 +829,7 @@ +-files_pid_filetrans(winbind_t, winbind_var_run_t, file) ++files_pid_filetrans(winbind_t, winbind_var_run_t, { file dir }) + + kernel_read_kernel_sysctls(winbind_t) + kernel_read_system_state(winbind_t) +@@ -833,6 +831,7 @@ corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -20820,7 +21332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -922,6 +919,18 @@ +@@ -922,6 +921,18 @@ # optional_policy(` @@ -20839,7 +21351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +941,12 @@ +@@ -932,9 +943,12 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -20855,8 +21367,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.8.7/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/sasl.te 2010-07-14 14:08:02.000000000 -0400 -@@ -49,6 +49,9 @@ ++++ serefpolicy-3.8.7/policy/modules/services/sasl.te 2010-07-19 17:03:59.000000000 -0400 +@@ -42,13 +42,17 @@ + manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t) + files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file) + ++manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) + manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) + manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) +-files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, file) ++files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, { file dir }) + kernel_read_kernel_sysctls(saslauthd_t) kernel_read_system_state(saslauthd_t) @@ -21069,7 +21590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr admin_pattern($1, setroubleshoot_var_lib_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.8.7/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/setroubleshoot.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/setroubleshoot.te 2010-07-19 17:03:50.000000000 -0400 @@ -32,6 +32,8 @@ allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; @@ -21079,7 +21600,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -57,6 +59,8 @@ +@@ -49,14 +51,17 @@ + logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) + + # pid file ++manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) + manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) + manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) +-files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file }) ++files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir }) + + kernel_read_kernel_sysctls(setroubleshootd_t) kernel_read_system_state(setroubleshootd_t) kernel_read_net_sysctls(setroubleshootd_t) kernel_read_network_state(setroubleshootd_t) @@ -21088,7 +21619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) -@@ -121,6 +125,10 @@ +@@ -121,6 +126,10 @@ userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` @@ -21099,7 +21630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ') -@@ -152,6 +160,7 @@ +@@ -152,6 +161,7 @@ corecmd_exec_shell(setroubleshoot_fixit_t) seutil_domtrans_setfiles(setroubleshoot_fixit_t) @@ -21107,7 +21638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr files_read_usr_files(setroubleshoot_fixit_t) files_read_etc_files(setroubleshoot_fixit_t) -@@ -164,6 +173,13 @@ +@@ -164,6 +174,13 @@ miscfiles_read_localization(setroubleshoot_fixit_t) @@ -21166,7 +21697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.8.7/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/snmp.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/snmp.te 2010-07-19 17:03:41.000000000 -0400 @@ -24,7 +24,7 @@ # # Local policy @@ -21176,7 +21707,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; -@@ -97,6 +97,7 @@ +@@ -43,8 +43,9 @@ + files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) + files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file) + ++manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) + manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) +-files_pid_filetrans(snmpd_t, snmpd_var_run_t, file) ++files_pid_filetrans(snmpd_t, snmpd_var_run_t, { file dir }) + + kernel_read_device_sysctls(snmpd_t) + kernel_read_kernel_sysctls(snmpd_t) +@@ -97,6 +98,7 @@ storage_dontaudit_read_fixed_disk(snmpd_t) storage_dontaudit_read_removable_device(snmpd_t) @@ -21366,7 +21908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.8.7/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-07-14 11:21:53.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/spamassassin.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/spamassassin.te 2010-07-19 17:03:35.000000000 -0400 @@ -19,6 +19,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -21586,7 +22128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -314,10 +405,12 @@ +@@ -314,11 +405,13 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -21596,10 +22138,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +-files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) +manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) - files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) ++files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) kernel_read_all_sysctls(spamd_t) + kernel_read_system_state(spamd_t) @@ -367,22 +460,27 @@ init_dontaudit_rw_utmp(spamd_t) @@ -22136,6 +22680,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd optional_policy(` dbus_system_bus_client(sssd_t) dbus_connect_system_bus(sssd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.8.7/policy/modules/services/stunnel.te +--- nsaserefpolicy/policy/modules/services/stunnel.te 2010-06-18 13:07:19.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/stunnel.te 2010-07-19 17:03:29.000000000 -0400 +@@ -46,8 +46,9 @@ + manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) + files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir }) + ++manage_dirs_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t) + manage_files_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t) +-files_pid_filetrans(stunnel_t, stunnel_var_run_t, file) ++files_pid_filetrans(stunnel_t, stunnel_var_run_t, { file dir }) + + kernel_read_kernel_sysctls(stunnel_t) + kernel_read_system_state(stunnel_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.8.7/policy/modules/services/sysstat.te --- nsaserefpolicy/policy/modules/services/sysstat.te 2010-06-18 13:07:19.000000000 -0400 +++ serefpolicy-3.8.7/policy/modules/services/sysstat.te 2010-07-14 14:08:02.000000000 -0400 @@ -22267,8 +22825,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd +iscsi_manage_semaphores(tgtd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.8.7/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/tor.te 2010-07-14 14:08:02.000000000 -0400 -@@ -100,6 +100,8 @@ ++++ serefpolicy-3.8.7/policy/modules/services/tor.te 2010-07-19 17:03:06.000000000 -0400 +@@ -67,9 +67,10 @@ + logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir }) + + # pid file ++manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t) + manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) + manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) +-files_pid_filetrans(tor_t, tor_var_run_t, { file sock_file }) ++files_pid_filetrans(tor_t, tor_var_run_t, { file sock_file dir }) + + kernel_read_system_state(tor_t) + +@@ -100,6 +101,8 @@ auth_use_nsswitch(tor_t) @@ -23735,7 +24305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.7/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-07-14 11:21:53.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/services/xserver.te 2010-07-15 16:02:17.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/xserver.te 2010-07-19 17:02:45.000000000 -0400 @@ -35,6 +35,13 @@ ## @@ -24463,7 +25033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) +manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) +manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) -+files_pid_filetrans(xserver_t, xserver_var_run_t, { dir file }) ++files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir }) # Create files in /var/log with the xserver_log_t type. manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) @@ -24631,6 +25201,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +tunable_policy(`use_samba_home_dirs',` + fs_append_cifs_files(xdmhomewriter) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.te serefpolicy-3.8.7/policy/modules/services/zabbix.te +--- nsaserefpolicy/policy/modules/services/zabbix.te 2010-06-18 13:07:19.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/zabbix.te 2010-07-19 16:59:27.000000000 -0400 +@@ -35,8 +35,9 @@ + logging_log_filetrans(zabbix_t, zabbix_log_t, file) + + # pid file ++manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) + manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) +-files_pid_filetrans(zabbix_t, zabbix_var_run_t, file) ++files_pid_filetrans(zabbix_t, zabbix_var_run_t, { file dir }) + + files_read_etc_files(zabbix_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zarafa.fc serefpolicy-3.8.7/policy/modules/services/zarafa.fc --- nsaserefpolicy/policy/modules/services/zarafa.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.7/policy/modules/services/zarafa.fc 2010-07-14 14:08:02.000000000 -0400 @@ -24908,6 +25492,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zara +optional_policy(` + apache_content_template(zarafa) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-3.8.7/policy/modules/services/zebra.te +--- nsaserefpolicy/policy/modules/services/zebra.te 2010-06-18 13:07:19.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/services/zebra.te 2010-07-19 16:59:49.000000000 -0400 +@@ -61,9 +61,10 @@ + allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms; + files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file) + ++manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) + manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) + manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) +-files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file }) ++files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file dir }) + + kernel_read_system_state(zebra_t) + kernel_read_network_state(zebra_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.8.7/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2010-06-18 13:07:19.000000000 -0400 +++ serefpolicy-3.8.7/policy/modules/system/application.te 2010-07-14 14:08:02.000000000 -0400 @@ -25349,7 +25948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.8.7/policy/modules/system/hotplug.te --- nsaserefpolicy/policy/modules/system/hotplug.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/system/hotplug.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/system/hotplug.te 2010-07-19 16:38:42.000000000 -0400 @@ -23,7 +23,7 @@ # @@ -25359,7 +25958,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu # for access("/etc/bashrc", X_OK) on Red Hat dontaudit hotplug_t self:capability { dac_override dac_read_search }; allow hotplug_t self:process { setpgid getsession getattr signal_perms }; -@@ -45,6 +45,7 @@ +@@ -39,12 +39,14 @@ + + can_exec(hotplug_t, hotplug_exec_t) + ++manage_dirs_pattern(hotplug_t, hotplug_var_run_t, hotplug_var_run_t) + manage_files_pattern(hotplug_t, hotplug_var_run_t, hotplug_var_run_t) +-files_pid_filetrans(hotplug_t, hotplug_var_run_t, file) ++files_pid_filetrans(hotplug_t, hotplug_var_run_t, { dir file }) + kernel_sigchld(hotplug_t) kernel_setpgid(hotplug_t) kernel_read_system_state(hotplug_t) @@ -25394,7 +26001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f # /var diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.7/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2010-03-18 10:35:11.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/system/init.if 2010-07-15 16:04:00.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/system/init.if 2010-07-19 12:16:35.000000000 -0400 @@ -105,7 +105,9 @@ role system_r types $1; @@ -25723,11 +26330,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + type init_t; + ') + -+ allow $1 init_t:unix_stream_socket rw_socket_perms; ++ allow $1 init_t:unix_stream_socket rw_stream_socket_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.7/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-07-14 11:21:53.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/system/init.te 2010-07-15 15:58:07.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/system/init.te 2010-07-19 17:10:39.000000000 -0400 @@ -16,6 +16,27 @@ ## gen_tunable(init_upstart, false) @@ -25839,15 +26446,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -185,15 +216,48 @@ +@@ -185,15 +216,53 @@ sysadm_shell_domtrans(init_t) ') ++storage_raw_rw_fixed_disk(init_t) ++modutils_domtrans_insmod(init_t) ++ +tunable_policy(`init_systemd',` + allow init_t self:netlink_kobject_uevent_socket create_socket_perms; + # Until systemd is fixed + allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; + ++ kernel_list_unlabeled(init_t) ++ + dev_write_kmsg(init_t) + dev_rw_autofs(init_t) + @@ -25888,7 +26500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t nscd_socket_use(init_t) ') -@@ -211,7 +275,7 @@ +@@ -211,7 +280,7 @@ # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -25897,7 +26509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -240,6 +304,7 @@ +@@ -240,6 +309,7 @@ allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -25905,7 +26517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t can_exec(initrc_t, initrc_tmp_t) manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) -@@ -257,11 +322,22 @@ +@@ -257,11 +327,22 @@ kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -25928,7 +26540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corecmd_exec_all_executables(initrc_t) -@@ -297,11 +373,13 @@ +@@ -297,11 +378,13 @@ dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -25942,7 +26554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -320,8 +398,10 @@ +@@ -320,8 +403,10 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -25954,7 +26566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -337,6 +417,8 @@ +@@ -337,6 +422,8 @@ files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -25963,7 +26575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_delete_cgroup_dirs(initrc_t) fs_list_cgroup_dirs(initrc_t) -@@ -350,6 +432,8 @@ +@@ -350,6 +437,8 @@ fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -25972,7 +26584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -362,6 +446,7 @@ +@@ -362,6 +451,7 @@ mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -25980,7 +26592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t selinux_get_enforce_mode(initrc_t) -@@ -393,13 +478,14 @@ +@@ -393,13 +483,14 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -25996,7 +26608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -472,7 +558,7 @@ +@@ -472,7 +563,7 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -26005,7 +26617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -518,6 +604,19 @@ +@@ -518,6 +609,19 @@ optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -26025,7 +26637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -525,10 +624,17 @@ +@@ -525,10 +629,17 @@ rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -26043,7 +26655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -543,6 +649,35 @@ +@@ -543,6 +654,35 @@ ') ') @@ -26079,7 +26691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -555,6 +690,8 @@ +@@ -555,6 +695,8 @@ optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -26088,7 +26700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -571,6 +708,7 @@ +@@ -571,6 +713,7 @@ optional_policy(` cgroup_stream_connect(initrc_t) @@ -26096,7 +26708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -583,6 +721,11 @@ +@@ -583,6 +726,11 @@ ') optional_policy(` @@ -26108,7 +26720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -599,6 +742,7 @@ +@@ -599,6 +747,7 @@ dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -26116,7 +26728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` consolekit_dbus_chat(initrc_t) -@@ -700,7 +844,12 @@ +@@ -700,7 +849,12 @@ ') optional_policy(` @@ -26129,7 +26741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -723,6 +872,10 @@ +@@ -723,6 +877,10 @@ ') optional_policy(` @@ -26140,7 +26752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -765,8 +918,6 @@ +@@ -765,8 +923,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -26149,7 +26761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -779,10 +930,12 @@ +@@ -779,10 +935,12 @@ squid_manage_logs(initrc_t) ') @@ -26162,7 +26774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -804,11 +957,19 @@ +@@ -804,11 +962,19 @@ ') optional_policy(` @@ -26183,7 +26795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -818,6 +979,25 @@ +@@ -818,6 +984,25 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -26209,7 +26821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -843,3 +1023,33 @@ +@@ -843,3 +1028,33 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -26346,7 +26958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.8.7/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/system/ipsec.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/system/ipsec.te 2010-07-19 16:39:39.000000000 -0400 @@ -72,7 +72,7 @@ # @@ -26356,7 +26968,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. allow ipsec_t self:process { getcap setcap getsched signal setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:udp_socket create_socket_perms; -@@ -166,6 +166,8 @@ +@@ -94,9 +94,10 @@ + manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) + files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file }) + ++manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) + manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) + manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) +-files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file }) ++files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file }) + + can_exec(ipsec_t, ipsec_mgmt_exec_t) + +@@ -166,6 +167,8 @@ miscfiles_read_localization(ipsec_t) sysnet_domtrans_ifconfig(ipsec_t) @@ -26365,7 +26989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) -@@ -184,8 +186,8 @@ +@@ -184,8 +187,8 @@ # allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; @@ -26376,7 +27000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; -@@ -224,7 +226,6 @@ +@@ -224,7 +227,6 @@ manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) @@ -26384,7 +27008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # whack needs to connect to pluto stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) -@@ -243,6 +244,17 @@ +@@ -243,6 +245,17 @@ kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -26402,7 +27026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -257,7 +269,7 @@ +@@ -257,7 +270,7 @@ domain_use_interactive_fds(ipsec_mgmt_t) # denials when ps tries to search /proc. Do not audit these denials. @@ -26411,7 +27035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # suppress audit messages about unnecessary socket access # cjp: this seems excessive domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t) -@@ -275,8 +287,11 @@ +@@ -275,8 +288,11 @@ fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -26424,7 +27048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) -@@ -290,7 +305,9 @@ +@@ -290,7 +306,9 @@ seutil_dontaudit_search_config(ipsec_mgmt_t) @@ -26434,7 +27058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. userdom_use_user_terminals(ipsec_mgmt_t) -@@ -299,6 +316,23 @@ +@@ -299,6 +317,23 @@ ') optional_policy(` @@ -26458,7 +27082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. nscd_socket_use(ipsec_mgmt_t) ') -@@ -385,6 +419,8 @@ +@@ -385,6 +420,8 @@ sysnet_exec_ifconfig(racoon_t) @@ -26467,7 +27091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -411,6 +447,7 @@ +@@ -411,6 +448,7 @@ files_read_etc_files(setkey_t) init_dontaudit_use_fds(setkey_t) @@ -26475,7 +27099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t) -@@ -422,3 +459,4 @@ +@@ -422,3 +460,4 @@ seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) @@ -27129,7 +27753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin domain_system_change_exemption($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.8.7/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2010-07-14 11:21:53.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/system/logging.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/system/logging.te 2010-07-19 17:03:21.000000000 -0400 @@ -60,6 +60,7 @@ type syslogd_t; type syslogd_exec_t; @@ -27207,7 +27831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) +manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) +manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) -+files_pid_filetrans(syslogd_t, syslogd_var_run_t, { dir file }) ++files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir }) + # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) @@ -27994,8 +28618,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +userdom_use_user_terminals(showmount_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.8.7/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/system/raid.te 2010-07-14 14:08:02.000000000 -0400 -@@ -57,6 +57,7 @@ ++++ serefpolicy-3.8.7/policy/modules/system/raid.te 2010-07-19 17:06:00.000000000 -0400 +@@ -30,8 +30,9 @@ + allow mdadm_t mdadm_map_t:file manage_file_perms; + dev_filetrans(mdadm_t, mdadm_map_t, file) + ++manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) + manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) +-files_pid_filetrans(mdadm_t, mdadm_var_run_t, file) ++files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir }) + + kernel_read_system_state(mdadm_t) + kernel_read_kernel_sysctls(mdadm_t) +@@ -57,6 +58,7 @@ files_read_etc_files(mdadm_t) files_read_etc_runtime_files(mdadm_t) @@ -28812,7 +29447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-3.8.7/policy/modules/system/setrans.te --- nsaserefpolicy/policy/modules/system/setrans.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/system/setrans.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/system/setrans.te 2010-07-19 17:01:52.000000000 -0400 @@ -12,6 +12,7 @@ type setrans_t; type setrans_exec_t; @@ -28821,6 +29456,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran type setrans_initrc_exec_t; init_script_file(setrans_initrc_exec_t) +@@ -44,9 +45,10 @@ + corecmd_search_bin(setrans_t) + + # create unix domain socket in /var ++manage_dirs_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) + manage_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) + manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) +-files_pid_filetrans(setrans_t, setrans_var_run_t, file) ++files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir }) + + kernel_read_kernel_sysctls(setrans_t) + kernel_read_proc_symlinks(setrans_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.fc serefpolicy-3.8.7/policy/modules/system/sosreport.fc --- nsaserefpolicy/policy/modules/system/sosreport.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.7/policy/modules/system/sosreport.fc 2010-07-14 14:08:02.000000000 -0400 @@ -29510,7 +30157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.f +/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.8.7/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/system/udev.te 2010-07-14 16:42:17.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/system/udev.te 2010-07-19 17:02:57.000000000 -0400 @@ -52,6 +52,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -29519,7 +30166,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -116,6 +117,7 @@ +@@ -72,7 +73,7 @@ + manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) + manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) + manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) +-files_pid_filetrans(udev_t, udev_var_run_t, { dir file }) ++files_pid_filetrans(udev_t, udev_var_run_t, { file dir }) + + kernel_read_system_state(udev_t) + kernel_request_load_module(udev_t) +@@ -116,10 +117,13 @@ files_dontaudit_search_isid_type_dirs(udev_t) files_getattr_generic_locks(udev_t) files_search_mnt(udev_t) @@ -29527,7 +30183,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t fs_getattr_all_fs(udev_t) fs_list_inotifyfs(udev_t) -@@ -216,6 +218,10 @@ + fs_rw_anon_inodefs_files(udev_t) ++fs_list_auto_mountpoints(udev_t) ++fs_list_hugetlbfs(udev_t) + + mcs_ptrace_all(udev_t) + +@@ -216,6 +220,10 @@ ') optional_policy(` @@ -29538,7 +30200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t consoletype_exec(udev_t) ') -@@ -259,6 +265,10 @@ +@@ -259,6 +267,10 @@ ') optional_policy(` @@ -29549,7 +30211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +283,10 @@ +@@ -273,6 +285,10 @@ ') optional_policy(` @@ -32854,7 +33516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.8.7/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2010-07-14 11:21:53.000000000 -0400 -+++ serefpolicy-3.8.7/policy/modules/system/xen.te 2010-07-14 14:08:02.000000000 -0400 ++++ serefpolicy-3.8.7/policy/modules/system/xen.te 2010-07-19 16:58:58.000000000 -0400 @@ -4,6 +4,7 @@ # # Declarations @@ -32883,7 +33545,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te ####################################### # # evtchnd local policy -@@ -346,6 +343,7 @@ +@@ -317,9 +314,10 @@ + files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) + + # pid file ++manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) + manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) + manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) +-files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file }) ++files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir }) + + # log files + manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) +@@ -346,6 +344,7 @@ files_read_usr_files(xenstored_t) @@ -32891,7 +33565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te fs_manage_xenfs_files(xenstored_t) storage_raw_read_fixed_disk(xenstored_t) -@@ -353,6 +351,7 @@ +@@ -353,6 +352,7 @@ storage_raw_read_removable_device(xenstored_t) term_use_generic_ptys(xenstored_t) @@ -32899,7 +33573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t) -@@ -365,98 +364,9 @@ +@@ -365,98 +365,9 @@ ######################################## # diff --git a/selinux-policy.spec b/selinux-policy.spec index 59629a1..48917fd 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.8.7 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,9 @@ exit 0 %endif %changelog +* Mon Jul 14 2010 Dan Walsh 3.8.7-3 +- Fix eclipse labeling from IBMSupportAssasstant packageing + * Mon Jul 14 2010 Dan Walsh 3.8.7-2 - Make boot with systemd in enforcing mode