cdc5b6
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.6.12/man/man8/nfs_selinux.8
573403
--- nsaserefpolicy/man/man8/nfs_selinux.8	2010-01-19 12:51:11.885608081 +0100
573403
+++ serefpolicy-3.6.12/man/man8/nfs_selinux.8	2010-01-19 12:51:30.666607854 +0100
cdc5b6
@@ -1,9 +1,9 @@
cdc5b6
 .TH  "nfs_selinux"  "8"  "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation"
cdc5b6
 .SH "NAME"
cdc5b6
-nfs_selinux \- Security Enhanced Linux Policy for NFS
cdc5b6
+nfs_selinux \- Security-Enhanced Linux Policy for NFS
cdc5b6
 .SH "DESCRIPTION"
cdc5b6
 
cdc5b6
-Security Enhanced Linux secures the NFS server via flexible mandatory access
cdc5b6
+Security-Enhanced Linux secures the NFS server via flexible mandatory access
cdc5b6
 control.  
cdc5b6
 .SH BOOLEANS
cdc5b6
 SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
cdc5b6
@@ -11,7 +11,7 @@
cdc5b6
 .TP
cdc5b6
 setsebool -P nfs_export_all_ro 1
cdc5b6
 .TP
cdc5b6
-If you want to share files read/write you must set the nfs_export_all_rw boolean.
cdc5b6
+If you want to share NFS partitions, and allow read and write access to those NFS partitions, turn the nfs_export_all_rw boolean on:
cdc5b6
 .TP
cdc5b6
 setsebool -P nfs_export_all_rw 1
cdc5b6
 
9eefb8
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.6.12/man/man8/samba_selinux.8
9eefb8
--- nsaserefpolicy/man/man8/samba_selinux.8	2009-04-07 21:54:45.000000000 +0200
573403
+++ serefpolicy-3.6.12/man/man8/samba_selinux.8	2010-01-19 12:51:30.667607981 +0100
9eefb8
@@ -20,7 +20,7 @@
9eefb8
 .TP
9eefb8
 This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
9eefb8
 .TP
9eefb8
-/var/eng(/.*)? system_u:object_r:samba_share_t
9eefb8
+/var/eng(/.*)? system_u:object_r:samba_share_t:s0
9eefb8
 .TP
9eefb8
 Run the restorecon command to apply the changes:
9eefb8
 .TP
9eefb8
@@ -53,4 +53,4 @@
9eefb8
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
9eefb8
 
9eefb8
 .SH "SEE ALSO"
9eefb8
-selinux(8), samba(7), chcon(1), setsebool(8)
9eefb8
+selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)
ce3d03
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.12/policy/mcs
573403
--- nsaserefpolicy/policy/mcs	2010-01-19 12:51:11.888608672 +0100
573403
+++ serefpolicy-3.6.12/policy/mcs	2010-01-19 12:51:30.672607570 +0100
ce3d03
@@ -66,7 +66,7 @@
ce3d03
 #
ce3d03
 # Note that getattr on files is always permitted.
ce3d03
 #
ce3d03
-mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
7b4c69
+mlsconstrain { file chr_file blk_file lnk_file } { write setattr append unlink link rename ioctl lock execute relabelfrom }
ce3d03
 	(( h1 dom h2 ) or ( t1 == mlsfilewrite ));
ce3d03
 
ce3d03
 mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
ce3d03
@@ -111,22 +111,22 @@
ce3d03
 	(( h1 dom h2 ) and ( l2 eq h2 ));
ce3d03
 
ce3d03
 # Access control for any database objects based on MCS rules.
ce3d03
-mlsconstrain db_database { drop setattr relabelfrom access install_module load_module get_param set_param }
ce3d03
+mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
ce3d03
 	( h1 dom h2 );
ce3d03
 
ce3d03
-mlsconstrain db_table { drop setattr relabelfrom select update insert delete use }
ce3d03
+mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
ce3d03
 	( h1 dom h2 );
ce3d03
 
ce3d03
-mlsconstrain db_column { drop setattr relabelfrom select update insert use }
ce3d03
+mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
ce3d03
 	( h1 dom h2 );
ce3d03
 
ce3d03
 mlsconstrain db_tuple { relabelfrom select update delete use }
ce3d03
 	( h1 dom h2 );
ce3d03
 
ce3d03
-mlsconstrain db_procedure { execute install }
ce3d03
+mlsconstrain db_procedure { drop getattr setattr execute install }
ce3d03
 	( h1 dom h2 );
ce3d03
 
ce3d03
-mlsconstrain db_blob { drop setattr relabelfrom read write }
ce3d03
+mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
ce3d03
 	( h1 dom h2 );
ce3d03
 
ce3d03
 ') dnl end enable_mcs
26614e
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.12/policy/modules/admin/certwatch.te
573403
--- nsaserefpolicy/policy/modules/admin/certwatch.te	2010-01-19 12:51:11.890618006 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/admin/certwatch.te	2010-01-19 12:51:30.673607627 +0100
26614e
@@ -1,5 +1,5 @@
26614e
 
26614e
-policy_module(certwatch, 1.3.0)
26614e
+policy_module(certwatch, 1.3.1)
26614e
 
26614e
 ########################################
26614e
 #
26614e
@@ -28,7 +28,7 @@
26614e
 fs_list_inotifyfs(certwatch_t)
26614e
 
26614e
 auth_manage_cache(certwatch_t)
26614e
-auth_filetrans_cache(certwatch_t)
26614e
+auth_var_filetrans_cache(certwatch_t)
26614e
 
26614e
 logging_send_syslog_msg(certwatch_t)
26614e
 
cdc5b6
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.12/policy/modules/admin/dmesg.te
573403
--- nsaserefpolicy/policy/modules/admin/dmesg.te	2010-01-19 12:51:11.892620356 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/admin/dmesg.te	2010-01-19 12:51:30.674607405 +0100
cdc5b6
@@ -62,3 +62,6 @@
cdc5b6
 optional_policy(`
cdc5b6
 	udev_read_db(dmesg_t)
cdc5b6
 ')
cdc5b6
+
cdc5b6
+#mcelog needs
cdc5b6
+dev_read_raw_memory(dmesg_t)
d9ce44
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.12/policy/modules/admin/kismet.te
573403
--- nsaserefpolicy/policy/modules/admin/kismet.te	2010-01-19 12:51:11.894608528 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/admin/kismet.te	2010-01-19 12:51:30.674607405 +0100
d9ce44
@@ -23,6 +23,9 @@
d9ce44
 type kismet_var_lib_t;
d9ce44
 files_type(kismet_var_lib_t)
d9ce44
 
d9ce44
+type kismet_tmpfs_t;
d9ce44
+files_tmp_file(kismet_tmpfs_t)
d9ce44
+
d9ce44
 ########################################
d9ce44
 #
d9ce44
 # kismet local policy
d9ce44
@@ -44,6 +47,10 @@
d9ce44
 manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
d9ce44
 files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir })
d9ce44
 
d9ce44
+manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
d9ce44
+manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
d9ce44
+fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, file)
d9ce44
+
d9ce44
 allow kismet_t kismet_var_lib_t:file manage_file_perms;
d9ce44
 allow kismet_t kismet_var_lib_t:dir manage_dir_perms;
d9ce44
 files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir })
d9ce44
@@ -53,6 +60,7 @@
d9ce44
 files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
d9ce44
 
d9ce44
 kernel_search_debugfs(kismet_t)
d9ce44
+kernel_read_system_state(kismet_t)
d9ce44
 
d9ce44
 corecmd_exec_bin(kismet_t)
d9ce44
 
d9ce44
@@ -75,3 +83,11 @@
d9ce44
 
d9ce44
 userdom_use_user_terminals(kismet_t)
d9ce44
 userdom_read_user_tmpfs_files(kismet_t)
d9ce44
+
d9ce44
+optional_policy(`
d9ce44
+        dbus_system_bus_client(kismet_t)
d9ce44
+
d9ce44
+        optional_policy(`
d9ce44
+                networkmanager_dbus_chat(kismet_t)
d9ce44
+        ')
d9ce44
+')
832e49
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.12/policy/modules/admin/logrotate.te
573403
--- nsaserefpolicy/policy/modules/admin/logrotate.te	2010-01-19 12:51:11.895617594 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/admin/logrotate.te	2010-01-19 12:51:30.675616123 +0100
70ed45
@@ -32,7 +32,7 @@
70ed45
 # Change ownership on log files.
70ed45
 allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
70ed45
 # for mailx
70ed45
-dontaudit logrotate_t self:capability { setuid setgid };
70ed45
+dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
70ed45
 
70ed45
 allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
70ed45
 
832e49
@@ -188,6 +188,10 @@
832e49
 ')
832e49
 
832e49
 optional_policy(`
832e49
+	psad_domtrans(logrotate_t)
832e49
+')  
832e49
+
832e49
+optional_policy(`
832e49
 	slrnpull_manage_spool(logrotate_t)
832e49
 ')
832e49
 
832e49
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.12/policy/modules/admin/mrtg.te
573403
--- nsaserefpolicy/policy/modules/admin/mrtg.te	2010-01-19 12:51:11.897608001 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/admin/mrtg.te	2010-01-19 12:51:30.676608358 +0100
674dfa
@@ -136,10 +136,18 @@
674dfa
 ')
674dfa
 
674dfa
 optional_policy(`
674dfa
+        hddtemp_domtrans(mrtg_t)
674dfa
+')
674dfa
+
674dfa
+optional_policy(`
674dfa
 	hostname_exec(mrtg_t)
832e49
 ')
832e49
 
832e49
 optional_policy(`
832e49
+	netutils_domtrans_ping(mrtg_t)
832e49
+')
832e49
+
832e49
+optional_policy(`
832e49
 	seutil_sigchld_newrole(mrtg_t)
832e49
 ')
832e49
 
cdc5b6
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.12/policy/modules/admin/netutils.te
573403
--- nsaserefpolicy/policy/modules/admin/netutils.te	2010-01-19 12:51:11.898617767 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/admin/netutils.te	2010-01-19 12:51:30.677620847 +0100
cdc5b6
@@ -38,7 +38,7 @@
cdc5b6
 
cdc5b6
 # Perform network administration operations and have raw access to the network.
cdc5b6
 allow netutils_t self:capability { net_admin net_raw setuid setgid };
cdc5b6
-dontaudit netutils_t self:capability sys_tty_config;
cdc5b6
+dontaudit netutils_t self:capability { sys_module sys_tty_config };
cdc5b6
 allow netutils_t self:process { sigkill sigstop signull signal };
cdc5b6
 allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
cdc5b6
 allow netutils_t self:packet_socket create_socket_perms;
036370
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te
573403
--- nsaserefpolicy/policy/modules/admin/prelink.te	2010-01-19 12:51:11.901618148 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/admin/prelink.te	2010-01-19 12:51:30.678620066 +0100
c556bd
@@ -68,10 +68,11 @@
c556bd
 files_list_all(prelink_t)
c556bd
 files_getattr_all_files(prelink_t)
c556bd
 files_write_non_security_dirs(prelink_t)
c556bd
-files_read_etc_files(prelink_t)
c556bd
-files_read_etc_runtime_files(prelink_t)
c556bd
+auth_read_all_files_except_shadow(prelink_t)
036370
 files_dontaudit_read_all_symlinks(prelink_t)
036370
 files_manage_usr_files(prelink_t)
036370
+# Delta RPMS
036370
+files_manage_var_files(prelink_t)
036370
 files_relabelfrom_usr_files(prelink_t)
036370
 
036370
 fs_getattr_xattr_fs(prelink_t)
c556bd
@@ -102,5 +103,9 @@
036370
 ')
036370
 
036370
 optional_policy(`
036370
+	rpm_manage_tmp_files(prelink_t)
036370
+')
036370
+
036370
+optional_policy(`
036370
 	unconfined_domain(prelink_t)
036370
 ')
e6583a
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
573403
--- nsaserefpolicy/policy/modules/admin/readahead.te	2010-01-19 12:51:11.903617984 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te	2010-01-19 12:51:30.679620054 +0100
186c59
@@ -50,11 +50,13 @@
186c59
 domain_use_interactive_fds(readahead_t)
186c59
 domain_read_all_domains_state(readahead_t)
186c59
 
186c59
+files_getattr_all_pipes(readahead_t)  
186c59
 files_dontaudit_getattr_all_sockets(readahead_t)
186c59
 files_list_non_security(readahead_t)
e6583a
 files_read_non_security_files(readahead_t)
e6583a
 files_dontaudit_read_security_files(readahead_t)
e6583a
 files_dontaudit_getattr_non_security_blk_files(readahead_t)
e6583a
+files_create_boot_flag(readahead_t)
e6583a
 
e6583a
 fs_getattr_all_fs(readahead_t)
e6583a
 fs_search_auto_mountpoints(readahead_t)
d92107
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.12/policy/modules/admin/rpm.fc
573403
--- nsaserefpolicy/policy/modules/admin/rpm.fc	2010-01-19 12:51:11.904618041 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.fc	2010-01-19 12:51:30.680608168 +0100
d92107
@@ -1,5 +1,6 @@
d92107
 
d92107
 /bin/rpm 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
d92107
+/usr/bin/rpm                    --      gen_context(system_u:object_r:rpm_exec_t,s0)
d92107
 /usr/bin/smart 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
d92107
 
d92107
 /usr/bin/yum 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
036370
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if
573403
--- nsaserefpolicy/policy/modules/admin/rpm.if	2010-01-19 12:51:11.905618238 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.if	2010-01-19 12:51:30.681608994 +0100
036370
@@ -470,6 +470,24 @@
036370
 
036370
 ########################################
036370
 ## <summary>
036370
+##	Manage RPM tmp files
036370
+## </summary>
036370
+## <param name="domain">
036370
+##	<summary>
036370
+##	Domain to not audit.
036370
+##	</summary>
036370
+## </param>
036370
+#
036370
+interface(`rpm_manage_tmp_files',`
036370
+	gen_require(`
036370
+		type rpm_tmp_t;
036370
+	')
036370
+
036370
+	manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
036370
+')
036370
+
036370
+########################################
036370
+## <summary>
036370
 ##	Do not audit attempts to read, 
036370
 ##	write RPM tmp files
036370
 ## </summary>
d92107
@@ -569,3 +587,31 @@
d92107
 	allow $1 rpm_t:process signull;
d92107
 ')
d92107
 
d92107
+########################################
d92107
+## <summary>
d92107
+##	dontaudit read and write an leaked file descriptors
d92107
+## </summary>
d92107
+## <param name="domain">
d92107
+##	<summary>
d92107
+##	The type of the process performing this action.
d92107
+##	</summary>
d92107
+## </param>
d92107
+#
d92107
+interface(`rpm_dontaudit_leaks',`
d92107
+	gen_require(`
d92107
+		type rpm_t;
d92107
+		type rpm_script_t;
d92107
+		type rpm_var_run_t;
d92107
+		type rpm_tmp_t;
d92107
+		type rpm_tmpfs_t;
d92107
+	')
d92107
+
d92107
+	dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
d92107
+	dontaudit $1 rpm_script_t:fd use;
d92107
+	dontaudit $1 rpm_script_t:fifo_file rw_fifo_file_perms;
d92107
+	dontaudit $1 rpm_var_run_t:file write_file_perms;
d92107
+	dontaudit $1 rpm_tmp_t:file rw_file_perms;
d92107
+	dontaudit $1 rpm_t:shm rw_shm_perms;
d92107
+ 	dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
d92107
+ 	dontaudit $1 rpm_tmpfs_t:file write_file_perms;
d92107
+')
832e49
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.12/policy/modules/admin/rpm.te
573403
--- nsaserefpolicy/policy/modules/admin/rpm.te	2010-01-19 12:51:11.907608156 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.te	2010-01-19 12:51:30.685607338 +0100
832e49
@@ -377,6 +377,10 @@
832e49
 ')
832e49
 
832e49
 optional_policy(`
832e49
+	mount_domtrans(rpm_script_t) 
832e49
+')
832e49
+
832e49
+optional_policy(`
832e49
 	tzdata_domtrans(rpm_t)
832e49
 	tzdata_domtrans(rpm_script_t)
832e49
 ')
f0110b
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.6.12/policy/modules/admin/shorewall.fc
f0110b
--- nsaserefpolicy/policy/modules/admin/shorewall.fc	1970-01-01 01:00:00.000000000 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/admin/shorewall.fc	2010-01-19 12:51:30.686611725 +0100
11fc16
@@ -0,0 +1,13 @@
f0110b
+
f0110b
+/etc/rc\.d/init\.d/shorewall        	--      gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
f0110b
+/etc/rc\.d/init\.d/shorewall-lite       --      gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
f0110b
+
f0110b
+/etc/shorewall(/.*)?            		gen_context(system_u:object_r:shorewall_etc_t,s0)
f0110b
+/etc/shorewall-lite(/.*)?               	gen_context(system_u:object_r:shorewall_etc_t,s0)
f0110b
+
11fc16
+/sbin/shorewall6?                       --      gen_context(system_u:object_r:shorewall_exec_t,s0)
f0110b
+/sbin/shorewall-lite			--      gen_context(system_u:object_r:shorewall_exec_t,s0)
f0110b
+
f0110b
+/var/lib/shorewall(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
11fc16
+/var/lib/shorewall6(/.*)?                       gen_context(system_u:object_r:shorewall_var_lib_t,s0)
f0110b
+/var/lib/shorewall-lite(/.*)?           	gen_context(system_u:object_r:shorewall_var_lib_t,s0)
f0110b
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.6.12/policy/modules/admin/shorewall.if
f0110b
--- nsaserefpolicy/policy/modules/admin/shorewall.if	1970-01-01 01:00:00.000000000 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/admin/shorewall.if	2010-01-19 12:51:30.687608849 +0100
f0110b
@@ -0,0 +1,166 @@
f0110b
+## <summary>policy for shorewall</summary>
f0110b
+
f0110b
+########################################
f0110b
+## <summary>
f0110b
+##	Execute a domain transition to run shorewall.
f0110b
+## </summary>
f0110b
+## <param name="domain">
f0110b
+## <summary>
f0110b
+##	Domain allowed to transition.
f0110b
+## </summary>
f0110b
+## </param>
f0110b
+#
f0110b
+interface(`shorewall_domtrans',`
f0110b
+	gen_require(`
f0110b
+		type shorewall_t; 
f0110b
+		type shorewall_exec_t;
f0110b
+	')
f0110b
+
f0110b
+	domtrans_pattern($1, shorewall_exec_t, shorewall_t)
f0110b
+')
f0110b
+
f0110b
+#######################################
f0110b
+## <summary>
f0110b
+##      Read shorewall etc configuration files.
f0110b
+## </summary>
f0110b
+## <param name="domain">
f0110b
+##      <summary>
f0110b
+##      Domain allowed access.
f0110b
+##      </summary>
f0110b
+## </param>
f0110b
+#
f0110b
+interface(`shorewall_read_etc',`
f0110b
+        gen_require(`
f0110b
+                type shorewall_etc_t;
f0110b
+        ')
f0110b
+
f0110b
+        files_search_etc($1)
f0110b
+        read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
f0110b
+')
f0110b
+
f0110b
+#######################################
f0110b
+## <summary>
f0110b
+##      Read shorewall PID files.
f0110b
+## </summary>
f0110b
+## <param name="domain">
f0110b
+##      <summary>
f0110b
+##      Domain allowed access.
f0110b
+##      </summary>
f0110b
+## </param>
f0110b
+#
f0110b
+interface(`shorewall_read_pid_files',`
f0110b
+        gen_require(`
f0110b
+                type shorewall_var_run_t;
f0110b
+        ')
f0110b
+
f0110b
+        files_search_pids($1)
f0110b
+        read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
f0110b
+')
f0110b
+
f0110b
+#######################################
f0110b
+## <summary>
f0110b
+##      Read and write shorewall PID files.
f0110b
+## </summary>
f0110b
+## <param name="domain">
f0110b
+##      <summary>
f0110b
+##      Domain allowed access.
f0110b
+##      </summary>
f0110b
+## </param>
f0110b
+#
f0110b
+interface(`shorewall_rw_pid_files',`
f0110b
+        gen_require(`
f0110b
+                type shorewall_var_run_t;
f0110b
+        ')
f0110b
+
f0110b
+        files_search_pids($1)
f0110b
+        rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
f0110b
+')
f0110b
+
f0110b
+######################################
f0110b
+## <summary>
f0110b
+##      Read shorewall /var/lib files.
f0110b
+## </summary>
f0110b
+## <param name="domain">
f0110b
+##      <summary>
f0110b
+##      Domain allowed access.
f0110b
+##      </summary>
f0110b
+## </param>
f0110b
+#
f0110b
+interface(`shorewall_read_var_lib',`
f0110b
+        gen_require(`
f0110b
+                type shorewall_t;
f0110b
+       ')
f0110b
+
f0110b
+        files_search_var_lib($1)
f0110b
+        search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
f0110b
+        read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
f0110b
+')
f0110b
+
f0110b
+#######################################
f0110b
+## <summary>
f0110b
+##      Read and write shorewall /var/lib files.
f0110b
+## </summary>
f0110b
+## <param name="domain">
f0110b
+##      <summary>
f0110b
+##      Domain allowed access.
f0110b
+##      </summary>
f0110b
+## </param>
f0110b
+#
f0110b
+interface(`shorewall_rw_var_lib',`
f0110b
+        gen_require(`
f0110b
+                type shorewall_t;
f0110b
+       ')
f0110b
+
f0110b
+        files_search_var_lib($1)
f0110b
+        search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
f0110b
+        rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
f0110b
+')
f0110b
+
f0110b
+#######################################
f0110b
+## <summary>
f0110b
+##      All of the rules required to administrate 
f0110b
+##      an shorewall environment
f0110b
+## </summary>
f0110b
+## <param name="domain">
f0110b
+##      <summary>
f0110b
+##      Domain allowed access.
f0110b
+##      </summary>
f0110b
+## </param>
f0110b
+## <param name="role">
f0110b
+##      <summary>
f0110b
+##      The role to be allowed to manage the syslog domain.
f0110b
+##      </summary>
f0110b
+## </param>
f0110b
+## <rolecap/>
f0110b
+#
f0110b
+interface(`shorewall_admin',`
f0110b
+        gen_require(`
f0110b
+                type shorewall_t, shorewall_var_run_t, shorewall_lock_t;
f0110b
+                type shorewall_initrc_exec_t, shorewall_var_lib_t;
f0110b
+                type shorewall_tmp_t;
f0110b
+        ')
f0110b
+
f0110b
+        allow $1 shorewall_t:process { ptrace signal_perms };
f0110b
+        ps_process_pattern($1, shorewall_t)
f0110b
+
f0110b
+        init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
f0110b
+        domain_system_change_exemption($1)
f0110b
+        role_transition $2 shorewall_initrc_exec_t system_r;
f0110b
+        allow $2 system_r;
f0110b
+
f0110b
+        files_search_etc($1)
f0110b
+        admin_pattern($1, shorewall_etc_t)
f0110b
+
f0110b
+	files_search_locks($1)
f0110b
+	admin_pattern($1, shorewall_lock_t)
f0110b
+
f0110b
+        files_search_pids($1)
f0110b
+        admin_pattern($1, shorewall_var_run_t)
f0110b
+
f0110b
+        files_search_var_lib($1)
f0110b
+        admin_pattern($1, shorewall_var_lib_t)
f0110b
+
f0110b
+        files_search_tmp($1)
f0110b
+        admin_pattern($1, shorewall_tmp_t)
f0110b
+')
f0110b
+
f0110b
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.6.12/policy/modules/admin/shorewall.te
f0110b
--- nsaserefpolicy/policy/modules/admin/shorewall.te	1970-01-01 01:00:00.000000000 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/admin/shorewall.te	2010-01-19 12:51:30.689618043 +0100
f0110b
@@ -0,0 +1,103 @@
f0110b
+policy_module(shorewall,1.0.0)
f0110b
+
f0110b
+########################################
f0110b
+#
f0110b
+# Declarations
f0110b
+#
f0110b
+
f0110b
+type shorewall_t;
f0110b
+type shorewall_exec_t;
f0110b
+init_system_domain(shorewall_t, shorewall_exec_t)
f0110b
+
f0110b
+type shorewall_initrc_exec_t;
f0110b
+init_script_file(shorewall_initrc_exec_t)
f0110b
+
f0110b
+# etc files
f0110b
+type shorewall_etc_t;
f0110b
+files_config_file(shorewall_etc_t)
f0110b
+
f0110b
+# lock files
f0110b
+type shorewall_lock_t;
f0110b
+files_lock_file(shorewall_lock_t)
f0110b
+
f0110b
+# tmp files
f0110b
+type shorewall_tmp_t;
f0110b
+files_tmp_file(shorewall_tmp_t)
f0110b
+
f0110b
+# var/lib files
f0110b
+type shorewall_var_lib_t;
f0110b
+files_type(shorewall_var_lib_t)
f0110b
+
f0110b
+########################################
f0110b
+#
f0110b
+# shorewall local policy
f0110b
+#
f0110b
+
f0110b
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace};
f0110b
+dontaudit shorewall_t self:capability sys_tty_config;
f0110b
+allow shorewall_t self:process signal;
f0110b
+
f0110b
+allow shorewall_t self:fifo_file rw_fifo_file_perms;
f0110b
+
f0110b
+# etc file
f0110b
+read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
f0110b
+list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
f0110b
+
f0110b
+# lock files
f0110b
+manage_files_pattern(shorewall_t,shorewall_lock_t,shorewall_lock_t)
f0110b
+files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
f0110b
+
f0110b
+# var/lib files for shorewall
f0110b
+exec_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
f0110b
+manage_dirs_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
f0110b
+manage_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
f0110b
+files_var_lib_filetrans(shorewall_t,shorewall_var_lib_t, { dir file })
f0110b
+
f0110b
+# tmp files for shorewall
f0110b
+manage_dirs_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
f0110b
+manage_files_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
f0110b
+files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir })
f0110b
+
f0110b
+kernel_read_kernel_sysctls(shorewall_t)
f0110b
+kernel_read_system_state(shorewall_t)
f0110b
+kernel_read_network_state(shorewall_t)
f0110b
+kernel_rw_net_sysctls(shorewall_t)
f0110b
+
f0110b
+corecmd_exec_bin(shorewall_t)
f0110b
+corecmd_exec_shell(shorewall_t)
f0110b
+
f0110b
+dev_read_urand(shorewall_t)
f0110b
+
f0110b
+fs_getattr_all_fs(shorewall_t)
f0110b
+
f0110b
+domain_read_all_domains_state(shorewall_t)
f0110b
+
f0110b
+files_getattr_kernel_modules(shorewall_t)
f0110b
+files_read_etc_files(shorewall_t)
f0110b
+files_read_usr_files(shorewall_t)
f0110b
+files_search_kernel_modules(shorewall_t)
f0110b
+
f0110b
+init_rw_utmp(shorewall_t)
f0110b
+
f0110b
+libs_use_ld_so(shorewall_t)
f0110b
+libs_use_shared_libs(shorewall_t)
f0110b
+
f0110b
+logging_send_syslog_msg(shorewall_t)
f0110b
+
f0110b
+miscfiles_read_localization(shorewall_t)
f0110b
+
f0110b
+userdom_dontaudit_list_admin_dir(shorewall_t)
f0110b
+
f0110b
+sysnet_domtrans_ifconfig(shorewall_t)
f0110b
+iptables_domtrans(shorewall_t)
f0110b
+
f0110b
+optional_policy(`
f0110b
+        modutils_domtrans_insmod(shorewall_t)
f0110b
+')
f0110b
+
f0110b
+optional_policy(`
f0110b
+	ulogd_search_log(shorewall_t)
f0110b
+')
f0110b
+
f0110b
+permissive shorewall_t;
f0110b
+
23ec6c
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.12/policy/modules/admin/sudo.if
573403
--- nsaserefpolicy/policy/modules/admin/sudo.if	2010-01-19 12:51:11.908617992 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/admin/sudo.if	2010-01-19 12:51:30.689618043 +0100
23ec6c
@@ -152,6 +152,10 @@
23ec6c
 	optional_policy(`
23ec6c
 		dbus_system_bus_client($1_sudo_t)
23ec6c
 	')
23ec6c
+
23ec6c
+	optional_policy(`
23ec6c
+		fprintd_dbus_chat($1_sudo_t)
23ec6c
+	')
23ec6c
 ')
23ec6c
 
23ec6c
 ########################################
a0754b
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tzdata.te serefpolicy-3.6.12/policy/modules/admin/tzdata.te
a0754b
--- nsaserefpolicy/policy/modules/admin/tzdata.te	2009-04-07 21:54:49.000000000 +0200
573403
+++ serefpolicy-3.6.12/policy/modules/admin/tzdata.te	2010-01-19 12:51:30.690617961 +0100
a0754b
@@ -16,6 +16,8 @@
a0754b
 # tzdata local policy
a0754b
 #
a0754b
 
a0754b
+fs_getattr_xattr_fs(tzdata_t)  
a0754b
+
a0754b
 files_read_etc_files(tzdata_t)
a0754b
 files_search_spool(tzdata_t)
a0754b
 
d92107
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.12/policy/modules/admin/usermanage.if
d92107
--- nsaserefpolicy/policy/modules/admin/usermanage.if	2009-04-07 21:54:49.000000000 +0200
573403
+++ serefpolicy-3.6.12/policy/modules/admin/usermanage.if	2010-01-19 12:51:30.691607822 +0100
d92107
@@ -274,6 +274,9 @@
d92107
 	usermanage_domtrans_useradd($1)
d92107
 	role $2 types useradd_t;
d92107
 
d92107
+	# Add/remove user home directories
d92107
+	userdom_manage_home_role($2, useradd_t)
d92107
+
d92107
 	optional_policy(`
d92107
 		nscd_run(useradd_t, $2)
d92107
 	')
82c950
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.12/policy/modules/admin/usermanage.te
573403
--- nsaserefpolicy/policy/modules/admin/usermanage.te	2010-01-19 12:51:11.913617929 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/admin/usermanage.te	2010-01-19 12:51:30.693618133 +0100
82c950
@@ -209,6 +209,7 @@
82c950
 files_manage_etc_files(groupadd_t)
82c950
 files_relabel_etc_files(groupadd_t)
82c950
 files_read_etc_runtime_files(groupadd_t)
82c950
+files_read_usr_symlinks(groupadd_t)
82c950
 
82c950
 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
82c950
 corecmd_exec_bin(groupadd_t)
d92107
@@ -489,6 +490,8 @@
d92107
 
d92107
 userdom_use_unpriv_users_fds(useradd_t)
d92107
 # Add/remove user home directories
d92107
+userdom_manage_home_role(system_r, useradd_t)
d92107
+
d92107
 userdom_manage_user_home_content_dirs(useradd_t)
d92107
 userdom_manage_user_home_content_files(useradd_t)
d92107
 userdom_home_filetrans_user_home_dir(useradd_t)
cd5169
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.6.12/policy/modules/admin/vpn.te
cd5169
--- nsaserefpolicy/policy/modules/admin/vpn.te	2009-04-07 21:54:49.000000000 +0200
573403
+++ serefpolicy-3.6.12/policy/modules/admin/vpn.te	2010-01-19 12:51:30.694617981 +0100
cd5169
@@ -104,6 +104,7 @@
cd5169
 sysnet_etc_filetrans_config(vpnc_t)
cd5169
 sysnet_manage_config(vpnc_t)
cd5169
 
cd5169
+userdom_read_home_certs(vpnc_t)
cd5169
 userdom_use_all_users_fds(vpnc_t)
cd5169
 userdom_dontaudit_search_user_home_content(vpnc_t)
cd5169
 
9eefb8
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.12/policy/modules/apps/awstats.te
573403
--- nsaserefpolicy/policy/modules/apps/awstats.te	2010-01-19 12:51:11.915617346 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/awstats.te	2010-01-19 12:51:30.694617981 +0100
9eefb8
@@ -28,6 +28,8 @@
9eefb8
 awstats_rw_pipes(awstats_t)
9eefb8
 awstats_cgi_exec(awstats_t)
9eefb8
 
9eefb8
+can_exec(awstats_t, awstats_exec_t)
9eefb8
+
9eefb8
 manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
9eefb8
 manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
9eefb8
 files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
23ec6c
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.12/policy/modules/apps/calamaris.te
23ec6c
--- nsaserefpolicy/policy/modules/apps/calamaris.te	2009-04-07 21:54:49.000000000 +0200
573403
+++ serefpolicy-3.6.12/policy/modules/apps/calamaris.te	2010-01-19 12:51:30.695618108 +0100
23ec6c
@@ -82,5 +82,9 @@
23ec6c
 ')
23ec6c
 
23ec6c
 optional_policy(`
23ec6c
+	nscd_socket_use(calamaris_t)
23ec6c
+')  
23ec6c
+
23ec6c
+optional_policy(`
23ec6c
 	nis_use_ypbind(calamaris_t)
23ec6c
 ')
39cdda
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.12/policy/modules/apps/gitosis.fc
26b349
--- nsaserefpolicy/policy/modules/apps/gitosis.fc	1970-01-01 01:00:00.000000000 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.fc	2010-01-19 12:51:30.696620471 +0100
39cdda
@@ -0,0 +1,4 @@
39cdda
+
39cdda
+/usr/bin/gitosis-serve			--        gen_context(system_u:object_r:gitosis_exec_t,s0)
39cdda
+
39cdda
+/var/lib/gitosis(/.*)?                            gen_context(system_u:object_r:gitosis_var_lib_t,s0)
39cdda
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.12/policy/modules/apps/gitosis.if
26b349
--- nsaserefpolicy/policy/modules/apps/gitosis.if	1970-01-01 01:00:00.000000000 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.if	2010-01-19 12:51:30.697608236 +0100
8b464d
@@ -0,0 +1,96 @@
39cdda
+## <summary>gitosis interface</summary>
39cdda
+
39cdda
+#######################################
39cdda
+## <summary>
39cdda
+##      Execute a domain transition to run gitosis.
39cdda
+## </summary>
39cdda
+## <param name="domain">
39cdda
+## <summary>
39cdda
+##      Domain allowed to transition.
39cdda
+## </summary>
39cdda
+## </param>
39cdda
+#
39cdda
+interface(`gitosis_domtrans',`
39cdda
+        gen_require(`
39cdda
+                type gitosis_t, gitosis_exec_t;
39cdda
+        ')
39cdda
+
39cdda
+        domtrans_pattern($1, gitosis_exec_t, gitosis_t)
39cdda
+')
39cdda
+
39cdda
+#######################################
39cdda
+## <summary>
39cdda
+##      Execute gitosis-serve in the gitosis domain, and
39cdda
+##      allow the specified role the gitosis domain.
39cdda
+## </summary>
39cdda
+## <param name="domain">
39cdda
+##      <summary>
39cdda
+##      Domain allowed access
39cdda
+##      </summary>
39cdda
+## </param>
39cdda
+## <param name="role">
39cdda
+##      <summary>
26b349
+##      The role to be allowed the gitosis domain.
39cdda
+##      </summary>
39cdda
+## </param>
39cdda
+## <param name="terminal">
39cdda
+##      <summary>
39cdda
+##      The type of the role's terminal.
39cdda
+##      </summary>
39cdda
+## </param>
39cdda
+#
39cdda
+interface(`gitosis_run',`
39cdda
+        gen_require(`
39cdda
+                type gitosis_t;
39cdda
+        ')
39cdda
+
39cdda
+        gitosis_domtrans($1)
39cdda
+        role $2 types gitosis_t;
39cdda
+        allow gitosis_t $3:chr_file rw_term_perms;
39cdda
+')
39cdda
+
39cdda
+#######################################
39cdda
+## <summary>
39cdda
+##      Allow the specified domain to read
39cdda
+##      gitosis lib files.
39cdda
+## </summary>
39cdda
+## <param name="domain">
39cdda
+##      <summary>
39cdda
+##      Domain allowed access.
39cdda
+##      </summary>
39cdda
+## </param>
39cdda
+#
39cdda
+interface(`gitosis_read_var_lib',`
39cdda
+        gen_require(`
39cdda
+                type gitosis_var_lib_t;
39cdda
+
39cdda
+        ')
8b464d
+	
8b464d
+	files_search_var_lib($1)
39cdda
+        read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
39cdda
+	read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
39cdda
+        list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
39cdda
+')
39cdda
+
39cdda
+######################################
39cdda
+## <summary>
39cdda
+##      Allow the specified domain to manage
39cdda
+##      gitosis lib files.
39cdda
+## </summary>
39cdda
+## <param name="domain">
39cdda
+##      <summary>
39cdda
+##      Domain allowed access.
39cdda
+##      </summary>
39cdda
+## </param>
39cdda
+#
39cdda
+interface(`gitosis_manage_var_lib',`
39cdda
+        gen_require(`
39cdda
+                type gitosis_var_lib_t;
39cdda
+
39cdda
+        ')
39cdda
+
8b464d
+	files_search_var_lib($1)
39cdda
+        manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
39cdda
+        manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
39cdda
+	manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
39cdda
+')
39cdda
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.12/policy/modules/apps/gitosis.te
26b349
--- nsaserefpolicy/policy/modules/apps/gitosis.te	1970-01-01 01:00:00.000000000 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.te	2010-01-19 12:51:30.698608712 +0100
39cdda
@@ -0,0 +1,43 @@
39cdda
+policy_module(gitosis,1.0.0)
39cdda
+
39cdda
+########################################
39cdda
+#
39cdda
+# Declarations
39cdda
+#
39cdda
+
39cdda
+type gitosis_t;
39cdda
+type gitosis_exec_t;
39cdda
+application_domain(gitosis_t, gitosis_exec_t)
39cdda
+role system_r types gitosis_t;
39cdda
+
39cdda
+type gitosis_var_lib_t;
39cdda
+files_type(gitosis_var_lib_t)
39cdda
+
39cdda
+########################################
39cdda
+#
39cdda
+# gitosis local policy
39cdda
+#
39cdda
+
39cdda
+allow gitosis_t self:fifo_file rw_fifo_file_perms;
39cdda
+
39cdda
+exec_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
39cdda
+manage_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
39cdda
+manage_lnk_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
39cdda
+manage_dirs_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
39cdda
+
39cdda
+corecmd_exec_bin(gitosis_t) 
39cdda
+corecmd_exec_shell(gitosis_t)
39cdda
+
39cdda
+kernel_read_system_state(gitosis_t)
39cdda
+
39cdda
+files_read_usr_files(gitosis_t)
39cdda
+files_search_var_lib(gitosis_t)
39cdda
+
39cdda
+libs_use_ld_so(gitosis_t)
39cdda
+libs_use_shared_libs(gitosis_t)
39cdda
+
39cdda
+miscfiles_read_localization(gitosis_t)
39cdda
+
39cdda
+optional_policy(`
39cdda
+	ssh_rw_pipes(gitosis_t)
39cdda
+')
c7e17d
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.12/policy/modules/apps/gnome.te
573403
--- nsaserefpolicy/policy/modules/apps/gnome.te	2010-01-19 12:51:11.922608458 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/gnome.te	2010-01-19 12:51:30.699608071 +0100
b8bcb3
@@ -114,6 +114,16 @@
c7e17d
 
c7e17d
 userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
c7e17d
 
c7e17d
+tunable_policy(`use_nfs_home_dirs',`
c7e17d
+        fs_manage_nfs_dirs(gconfdefaultsm_t)
c7e17d
+        fs_manage_nfs_files(gconfdefaultsm_t)
c7e17d
+')
c7e17d
+
c7e17d
+tunable_policy(`use_samba_home_dirs',`
c7e17d
+        fs_manage_cifs_dirs(gconfdefaultsm_t)
c7e17d
+        fs_manage_cifs_files(gconfdefaultsm_t)
c7e17d
+')
c7e17d
+
c7e17d
 optional_policy(`
c7e17d
         consolekit_dbus_chat(gconfdefaultsm_t)
c7e17d
 ')
9eefb8
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.12/policy/modules/apps/gpg.if
573403
--- nsaserefpolicy/policy/modules/apps/gpg.if	2010-01-19 12:51:11.924618072 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/gpg.if	2010-01-19 12:51:30.699608071 +0100
9eefb8
@@ -30,7 +30,7 @@
9eefb8
 
9eefb8
 	# allow ps to show gpg
9eefb8
 	ps_process_pattern($2, gpg_t)
9eefb8
-	allow $2 gpg_t:process { signal sigkill };
9eefb8
+	allow $2 gpg_t:process { signull sigstop signal sigkill };
9eefb8
 
9eefb8
 	# communicate with the user 
9eefb8
 	allow gpg_helper_t $2:fd use;
9eefb8
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.12/policy/modules/apps/gpg.te
573403
--- nsaserefpolicy/policy/modules/apps/gpg.te	2010-01-19 12:51:11.925621412 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/gpg.te	2010-01-19 12:51:30.701607837 +0100
9eefb8
@@ -90,6 +90,7 @@
9eefb8
 corenet_tcp_connect_all_ports(gpg_t)
9eefb8
 corenet_sendrecv_all_client_packets(gpg_t)
9eefb8
 
9eefb8
+dev_read_generic_usb_dev(gpg_t)
9eefb8
 dev_read_rand(gpg_t)
9eefb8
 dev_read_urand(gpg_t)
9eefb8
 
b8bcb3
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.12/policy/modules/apps/java.te
573403
--- nsaserefpolicy/policy/modules/apps/java.te	2010-01-19 12:51:11.928618231 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/java.te	2010-01-19 12:51:30.701607837 +0100
b8bcb3
@@ -148,6 +148,8 @@
b8bcb3
 	# execheap is needed for itanium/BEA jrocket
b8bcb3
 	allow unconfined_java_t self:process { execstack execmem execheap };
b8bcb3
 
b8bcb3
+	files_execmod_all_files(unconfined_java_t)
b8bcb3
+
b8bcb3
 	init_dbus_chat_script(unconfined_java_t)
b8bcb3
 
b8bcb3
 	unconfined_domain_noaudit(unconfined_java_t)
40f5c9
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.12/policy/modules/apps/mozilla.if
573403
--- nsaserefpolicy/policy/modules/apps/mozilla.if	2010-01-19 12:51:11.934607820 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/mozilla.if	2010-01-19 12:51:30.702607964 +0100
7b4c69
@@ -45,6 +45,18 @@
7b4c69
 	relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
7b4c69
 	relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
7b4c69
 	relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
7b4c69
+
7b4c69
+	mozilla_dbus_chat($2)
7b4c69
+
7b4c69
+	userdom_manage_tmp_role($1, mozilla_t)
7b4c69
+
7b4c69
+	optional_policy(`
7b4c69
+		nsplugin_role($1, mozilla_t)
7b4c69
+	')
7b4c69
+
7b4c69
+	optional_policy(`
7b4c69
+		pulseaudio_role($1, mozilla_t)
7b4c69
+	')
7b4c69
 ')
7b4c69
 
7b4c69
 ########################################
7b4c69
@@ -64,6 +76,7 @@
40f5c9
 
40f5c9
 	allow $1 mozilla_home_t:dir list_dir_perms;
40f5c9
 	allow $1 mozilla_home_t:file read_file_perms;
40f5c9
+	allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
40f5c9
 	userdom_search_user_home_dirs($1)
40f5c9
 ')
40f5c9
 
7b4c69
@@ -82,7 +95,8 @@
7b4c69
 		type mozilla_home_t;
7b4c69
 	')
7b4c69
 
7b4c69
-	write_files_pattern($1, mozilla_home_t, mozilla_home_t)
7b4c69
+	allow $1 mozilla_home_t:dir list_dir_perms;
7b4c69
+	allow $1 mozilla_home_t:file write_file_perms;
7b4c69
 	userdom_search_user_home_dirs($1)
7b4c69
 ')
7b4c69
 
494f21
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.12/policy/modules/apps/mozilla.te
573403
--- nsaserefpolicy/policy/modules/apps/mozilla.te	2010-01-19 12:51:11.935618493 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/mozilla.te	2010-01-19 12:51:30.704607869 +0100
7b4c69
@@ -59,6 +59,7 @@
7b4c69
 manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
7b4c69
 manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
7b4c69
 userdom_search_user_home_dirs(mozilla_t)
7b4c69
+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
7b4c69
 
7b4c69
 # Mozpluggerrc
7b4c69
 allow mozilla_t mozilla_conf_t:file read_file_perms;
7b4c69
@@ -97,6 +98,7 @@
7b4c69
 corenet_tcp_connect_ftp_port(mozilla_t)
7b4c69
 corenet_tcp_connect_ipp_port(mozilla_t)
7b4c69
 corenet_tcp_connect_generic_port(mozilla_t)
7b4c69
+corenet_tcp_connect_soundd_port(mozilla_t)
7b4c69
 corenet_sendrecv_http_client_packets(mozilla_t)
7b4c69
 corenet_sendrecv_http_cache_client_packets(mozilla_t)
7b4c69
 corenet_sendrecv_ftp_client_packets(mozilla_t)
7b4c69
@@ -114,6 +116,8 @@
7b4c69
 dev_dontaudit_rw_dri(mozilla_t)
7b4c69
 dev_getattr_sysfs_dirs(mozilla_t)
7b4c69
 
7b4c69
+domain_dontaudit_read_all_domains_state(mozilla_t)
7b4c69
+
7b4c69
 files_read_etc_runtime_files(mozilla_t)
7b4c69
 files_read_usr_files(mozilla_t)
7b4c69
 files_read_etc_files(mozilla_t)
7b4c69
@@ -139,12 +143,7 @@
7b4c69
 # Browse the web, connect to printer
7b4c69
 sysnet_dns_name_resolve(mozilla_t)
7b4c69
 
7b4c69
-userdom_manage_user_home_content_dirs(mozilla_t)
7b4c69
-userdom_manage_user_home_content_files(mozilla_t)
7b4c69
-userdom_manage_user_home_content_symlinks(mozilla_t)
7b4c69
-userdom_manage_user_tmp_dirs(mozilla_t)
7b4c69
-userdom_manage_user_tmp_files(mozilla_t)
7b4c69
-userdom_manage_user_tmp_sockets(mozilla_t)
494f21
+userdom_use_user_ptys(mozilla_t)
494f21
 
494f21
 xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
494f21
 xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
7b4c69
@@ -241,6 +240,9 @@
7b4c69
 optional_policy(`
7b4c69
 	dbus_system_bus_client(mozilla_t)
7b4c69
 	dbus_session_bus_client(mozilla_t)
7b4c69
+	optional_policy(`
7b4c69
+		networkmanager_dbus_chat(mozilla_t)
7b4c69
+	')
7b4c69
 ')
7b4c69
 
7b4c69
 optional_policy(`
d9ce44
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.12/policy/modules/apps/nsplugin.if
573403
--- nsaserefpolicy/policy/modules/apps/nsplugin.if	2010-01-19 12:51:11.939608107 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.if	2010-01-19 12:51:30.705618543 +0100
d9ce44
@@ -89,6 +89,8 @@
d9ce44
 	role $1 types nsplugin_config_t;
d9ce44
 
d9ce44
 	allow nsplugin_t $2:process signull;
d9ce44
+	allow nsplugin_t $2:sem rw_sem_perms;
d9ce44
+ 	allow nsplugin_t $2:shm rw_shm_perms;
d9ce44
 
d9ce44
 	list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
d9ce44
 	read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
7414cf
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.fc serefpolicy-3.6.12/policy/modules/apps/ptchown.fc
7414cf
--- nsaserefpolicy/policy/modules/apps/ptchown.fc	1970-01-01 01:00:00.000000000 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/ptchown.fc	2010-01-19 12:51:30.706618111 +0100
7414cf
@@ -0,0 +1,2 @@
7414cf
+
7414cf
+/usr/libexec/pt_chown	--	gen_context(system_u:object_r:ptchown_exec_t,s0)
7414cf
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.6.12/policy/modules/apps/ptchown.if
7414cf
--- nsaserefpolicy/policy/modules/apps/ptchown.if	1970-01-01 01:00:00.000000000 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/ptchown.if	2010-01-19 12:51:30.706618111 +0100
7414cf
@@ -0,0 +1,22 @@
7414cf
+
7414cf
+## <summary>helper function for grantpt(3), changes ownship and permissions of pseudotty</summary>
7414cf
+
7414cf
+########################################
7414cf
+## <summary>
7414cf
+##	Execute a domain transition to run ptchown.
7414cf
+## </summary>
7414cf
+## <param name="domain">
7414cf
+## <summary>
7414cf
+##	Domain allowed to transition.
7414cf
+## </summary>
7414cf
+## </param>
7414cf
+#
7414cf
+interface(`ptchown_domtrans',`
7414cf
+	gen_require(`
7414cf
+		type ptchown_t;
7414cf
+                type ptchown_exec_t;
7414cf
+	')
7414cf
+
7414cf
+	domtrans_pattern($1,ptchown_exec_t,ptchown_t)
7414cf
+')
7414cf
+
7414cf
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.6.12/policy/modules/apps/ptchown.te
7414cf
--- nsaserefpolicy/policy/modules/apps/ptchown.te	1970-01-01 01:00:00.000000000 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/ptchown.te	2010-01-19 12:51:30.710608074 +0100
9eefb8
@@ -0,0 +1,40 @@
7414cf
+policy_module(ptchown,1.0.0)
7414cf
+
7414cf
+########################################
7414cf
+#
7414cf
+# Declarations
7414cf
+#
7414cf
+
7414cf
+type ptchown_t;
7414cf
+type ptchown_exec_t;
7414cf
+application_domain(ptchown_t, ptchown_exec_t)
7414cf
+role system_r types ptchown_t;
7414cf
+
7414cf
+permissive ptchown_t;
7414cf
+
7414cf
+########################################
7414cf
+#
7414cf
+# ptchown local policy
7414cf
+#
7414cf
+
9eefb8
+allow ptchown_t self:capability { chown fowner fsetid setuid };
7414cf
+allow ptchown_t self:process { getcap setcap };
7414cf
+
7414cf
+# Init script handling
7414cf
+domain_use_interactive_fds(ptchown_t)
7414cf
+
7414cf
+# internal communication is often done using fifo and unix sockets.
7414cf
+allow ptchown_t self:fifo_file rw_file_perms;
7414cf
+allow ptchown_t self:unix_stream_socket create_stream_socket_perms;
7414cf
+
7414cf
+files_read_etc_files(ptchown_t)
7414cf
+
7414cf
+fs_rw_anon_inodefs_files(ptchown_t)
7414cf
+
7414cf
+term_setattr_generic_ptys(ptchown_t)
7414cf
+term_setattr_all_user_ptys(ptchown_t)
9eefb8
+term_use_generic_ptys(ptchown_t)
9eefb8
+term_use_ptmx(ptchown_t)
7414cf
+
7414cf
+miscfiles_read_localization(ptchown_t)
7414cf
+
e6583a
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.12/policy/modules/apps/qemu.fc
573403
--- nsaserefpolicy/policy/modules/apps/qemu.fc	2010-01-19 12:51:11.948618262 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/qemu.fc	2010-01-19 12:51:30.710608074 +0100
e6583a
@@ -1,2 +1,3 @@
e6583a
 /usr/bin/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
e6583a
+/usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
e6583a
 
686d80
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.12/policy/modules/apps/qemu.te
573403
--- nsaserefpolicy/policy/modules/apps/qemu.te	2010-01-19 12:51:11.951608237 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/qemu.te	2010-01-19 12:51:30.711617700 +0100
cd5169
@@ -50,6 +50,9 @@
cd5169
 storage_raw_write_removable_device(qemu_t)
cd5169
 storage_raw_read_removable_device(qemu_t)
cd5169
 
cd5169
+dev_read_rand(qemu_t)
cd5169
+dev_read_urand(qemu_t)
cd5169
+
cd5169
 userdom_search_user_home_content(qemu_t)
cd5169
 userdom_read_user_tmpfs_files(qemu_t)
cd5169
 userdom_signull_unpriv_users(qemu_t)
cd5169
@@ -88,11 +91,16 @@
c556bd
 ')
c556bd
 
c556bd
 optional_policy(`
c556bd
+	dbus_system_bus_client(qemu_t)
c556bd
+')
c556bd
+
c556bd
+optional_policy(`
c556bd
 	samba_domtrans_smb(qemu_t)
c556bd
 ')
686d80
 
686d80
 optional_policy(`
686d80
 	virt_manage_images(qemu_t)
686d80
+	virt_append_log(qemu_t)
686d80
 ')
686d80
 
686d80
 optional_policy(`
494f21
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.12/policy/modules/apps/sandbox.if
573403
--- nsaserefpolicy/policy/modules/apps/sandbox.if	2010-01-19 12:51:11.955618035 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.if	2010-01-19 12:51:30.714607885 +0100
494f21
@@ -3,73 +3,143 @@
494f21
 
494f21
 ########################################
494f21
 ## <summary>
494f21
-##	Execute a domain transition to run sandbox.
494f21
+##	Execute sandbox in the sandbox domain, and
494f21
+##	allow the specified role the sandbox domain.
494f21
 ## </summary>
494f21
 ## <param name="domain">
494f21
 ## <summary>
494f21
-##	Domain allowed to transition.
494f21
+##	Domain allowed access
494f21
+##	</summary>
494f21
+## </param>
494f21
+## <param name="role">
494f21
+##	<summary>
494f21
+##	The role to be allowed the sandbox domain.
494f21
 ## </summary>
494f21
 ## </param>
494f21
 #
494f21
-interface(`sandbox_domtrans',`
494f21
+interface(`sandbox_transition',`
494f21
 	gen_require(`
494f21
-		type sandbox_t;
494f21
-                type sandbox_exec_t;
494f21
+		type sandbox_xserver_t;
494f21
+		attribute sandbox_domain;
494f21
 	')
494f21
 
494f21
-	domtrans_pattern($1,sandbox_exec_t,sandbox_t)
494f21
+	allow $1 sandbox_domain:process transition;
494f21
+	dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
494f21
+	role $2 types sandbox_domain;
494f21
+	role $2 types sandbox_xserver_t;
494f21
 ')
494f21
 
494f21
-
494f21
 ########################################
494f21
 ## <summary>
494f21
-##	Execute sandbox in the sandbox domain, and
494f21
-##	allow the specified role the sandbox domain.
494f21
+##	Creates types and rules for a basic
494f21
+##	qemu process domain.
494f21
 ## </summary>
494f21
-## <param name="domain">
494f21
+## <param name="prefix">
494f21
 ##	<summary>
494f21
-##	Domain allowed access
494f21
-##	</summary>
494f21
-## </param>
494f21
-## <param name="role">
494f21
-##	<summary>
494f21
-##	The role to be allowed the sandbox domain.
494f21
+##	Prefix for the domain.
494f21
 ##	</summary>
494f21
 ## </param>
494f21
 #
494f21
-interface(`sandbox_run',`
494f21
+template(`sandbox_domain_template',`
494f21
+
494f21
 	gen_require(`
494f21
-		type sandbox_t;
494f21
+		attribute sandbox_domain;
494f21
 	')
494f21
 
494f21
-	sandbox_domtrans($1)
494f21
-	role $2 types sandbox_t;
494f21
+	type $1_t, sandbox_domain;
494f21
+	domain_type($1_t)
494f21
+
494f21
+	type $1_file_t;
494f21
+	files_type($1_file_t)
494f21
+
494f21
+	can_exec($1_t, $1_file_t)
494f21
+	manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
494f21
+	manage_files_pattern($1_t, $1_file_t, $1_file_t)
494f21
+	manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
494f21
+	manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
494f21
+	manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
494f21
 ')
494f21
 
494f21
 ########################################
494f21
 ## <summary>
494f21
-##	Role access for sandbox
494f21
+##	Creates types and rules for a basic
494f21
+##	qemu process domain.
494f21
 ## </summary>
494f21
-## <param name="role">
494f21
+## <param name="prefix">
494f21
 ##	<summary>
494f21
-##	Role allowed access
494f21
+##	Prefix for the domain.
494f21
 ##	</summary>
494f21
 ## </param>
494f21
+#
494f21
+template(`sandbox_x_domain_template',`
494f21
+	gen_require(`
494f21
+		type xserver_exec_t;
494f21
+		type sandbox_xserver_t;
494f21
+		attribute sandbox_domain, sandbox_x_domain;
494f21
+	')
494f21
+
494f21
+	sandbox_domain_template($1)
494f21
+
494f21
+	
494f21
+	typeattribute $1_t sandbox_x_domain;
494f21
+
494f21
+	# window manager
494f21
+	miscfiles_setattr_fonts($1_t)
494f21
+	allow $1_t self:capability setuid;
494f21
+
494f21
+	type $1_client_t, sandbox_x_domain, sandbox_domain;
494f21
+	domain_type($1_client_t)
494f21
+
494f21
+	type $1_client_tmpfs_t;
494f21
+	files_tmpfs_file($1_client_tmpfs_t)
494f21
+
494f21
+	allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr };
494f21
+	term_create_pty($1_client_t,sandbox_devpts_t)
494f21
+
494f21
+	manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
494f21
+	fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
494f21
+	allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
494f21
+
494f21
+	domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
494f21
+	allow $1_t sandbox_xserver_t:process sigkill;
494f21
+
494f21
+	domtrans_pattern($1_t, $1_file_t, $1_client_t)
494f21
+	domain_entry_file($1_client_t,  $1_file_t)
494f21
+
494f21
+	manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
494f21
+	manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
494f21
+	manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
494f21
+	allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms;
494f21
+	ps_process_pattern(sandbox_xserver_t, $1_client_t)
494f21
+	ps_process_pattern(sandbox_xserver_t, $1_t)
494f21
+	allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
494f21
+	allow sandbox_xserver_t $1_t:shm rw_shm_perms;
494f21
+
494f21
+	can_exec($1_client_t, $1_file_t)
494f21
+	manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t)
494f21
+	manage_files_pattern($1_client_t, $1_file_t, $1_file_t)
494f21
+	manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
494f21
+	manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
494f21
+	manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
494f21
+
494f21
+#	permissive $1_client_t;
494f21
+')
494f21
+
494f21
+########################################
494f21
+## <summary>
494f21
+##	allow domain to read, 
494f21
+##	write sandbox_xserver tmp files
494f21
+## </summary>
494f21
 ## <param name="domain">
494f21
 ##	<summary>
494f21
-##	User domain for the role
494f21
+##	Domain to not audit.
494f21
 ##	</summary>
494f21
 ## </param>
494f21
 #
494f21
-interface(`sandbox_role',`
494f21
+interface(`sandbox_rw_xserver_tmpfs_files',`
494f21
 	gen_require(`
494f21
-              type sandbox_t;
494f21
+		type sandbox_xserver_tmpfs_t;
494f21
 	')
494f21
 
494f21
-	role $2 types sandbox_t;
494f21
-
494f21
-	sandbox_domtrans($1)
494f21
-
494f21
-	ps_process_pattern($2, sandbox_t)
494f21
-	allow $2 sandbox_t:process signal;
494f21
+	allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
494f21
 ')
070ff2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te
573403
--- nsaserefpolicy/policy/modules/apps/sandbox.te	2010-01-19 12:51:11.957607813 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te	2010-01-19 12:51:30.715618069 +0100
494f21
@@ -1,18 +1,84 @@
494f21
 policy_module(sandbox,1.0.0)
494f21
+dbus_stub()
494f21
+attribute sandbox_domain;
494f21
+attribute sandbox_x_domain;
494f21
 
494f21
 ########################################
494f21
 #
494f21
 # Declarations
494f21
 #
494f21
 
494f21
-type sandbox_t;
494f21
-type sandbox_exec_t;
494f21
-application_domain(sandbox_t, sandbox_exec_t)
494f21
-init_daemon_domain(sandbox_t, sandbox_exec_t)
494f21
-role system_r types sandbox_t;
494f21
+sandbox_domain_template(sandbox)
494f21
+sandbox_x_domain_template(sandbox_x)
494f21
+sandbox_x_domain_template(sandbox_web)
494f21
+sandbox_x_domain_template(sandbox_net)
494f21
 
494f21
-type sandbox_file_t;
494f21
-files_type(sandbox_file_t)
494f21
+type sandbox_xserver_t;
494f21
+domain_type(sandbox_xserver_t)
494f21
+xserver_common_app(sandbox_xserver_t)
494f21
+permissive sandbox_xserver_t;
494f21
+
494f21
+type sandbox_xserver_tmpfs_t;
494f21
+files_tmpfs_file(sandbox_xserver_tmpfs_t)
494f21
+
494f21
+type sandbox_devpts_t;
494f21
+term_pty(sandbox_devpts_t)
494f21
+files_type(sandbox_devpts_t)
494f21
+
494f21
+########################################
494f21
+#
494f21
+# sandbox xserver policy
494f21
+#
494f21
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
494f21
+allow sandbox_xserver_t self:shm create_shm_perms;
494f21
+allow sandbox_xserver_t self:tcp_socket create_socket_perms;
494f21
+
494f21
+manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
494f21
+manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
494f21
+manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
494f21
+manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
494f21
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
494f21
+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
494f21
+
494f21
+corecmd_exec_bin(sandbox_xserver_t)
494f21
+corecmd_exec_shell(sandbox_xserver_t)
494f21
+
494f21
+corenet_all_recvfrom_unlabeled(sandbox_xserver_t)
494f21
+corenet_all_recvfrom_netlabel(sandbox_xserver_t)
494f21
+corenet_tcp_sendrecv_generic_if(sandbox_xserver_t)
494f21
+corenet_udp_sendrecv_generic_if(sandbox_xserver_t)
494f21
+corenet_tcp_sendrecv_generic_node(sandbox_xserver_t)
494f21
+corenet_udp_sendrecv_generic_node(sandbox_xserver_t)
494f21
+corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
494f21
+corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
494f21
+corenet_tcp_bind_generic_node(sandbox_xserver_t)
494f21
+corenet_tcp_bind_xserver_port(sandbox_xserver_t)
494f21
+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
494f21
+corenet_sendrecv_all_client_packets(sandbox_xserver_t)
494f21
+
494f21
+files_read_etc_files(sandbox_xserver_t)
494f21
+files_read_usr_files(sandbox_xserver_t)
494f21
+files_search_home(sandbox_xserver_t)
494f21
+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
494f21
+
494f21
+miscfiles_read_fonts(sandbox_xserver_t)
494f21
+miscfiles_read_localization(sandbox_xserver_t)
494f21
+
494f21
+kernel_read_system_state(sandbox_xserver_t)
494f21
+
494f21
+auth_use_nsswitch(sandbox_xserver_t)
494f21
+
494f21
+userdom_use_user_terminals(sandbox_xserver_t)
494f21
+
494f21
+xserver_entry_type(sandbox_xserver_t)
494f21
+
494f21
+optional_policy(`
494f21
+	dbus_system_bus_client(sandbox_xserver_t)
494f21
+
494f21
+	optional_policy(`
494f21
+		hal_dbus_chat(sandbox_xserver_t)
494f21
+	')
494f21
+')
070ff2
 
494f21
 ########################################
494f21
 #
494f21
@@ -20,21 +86,189 @@
494f21
 #
494f21
 
494f21
 ## internal communication is often done using fifo and unix sockets.
494f21
-allow sandbox_t self:fifo_file rw_file_perms;
494f21
-allow sandbox_t self:unix_stream_socket create_stream_socket_perms;
494f21
+allow sandbox_domain self:fifo_file rw_file_perms;
494f21
+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
494f21
+
494f21
+files_rw_all_inherited_files(sandbox_domain)
494f21
+files_entrypoint_all_files(sandbox_domain)
494f21
+
494f21
+miscfiles_read_localization(sandbox_domain)
494f21
+
494f21
+kernel_dontaudit_read_system_state(sandbox_domain)
494f21
+corecmd_exec_all_executables(sandbox_domain)
494f21
+
494f21
+
494f21
+########################################
494f21
+#
494f21
+# sandbox_x_domain local policy
494f21
+#
494f21
+allow sandbox_x_domain self:process { signal_perms getsched setpgid };
494f21
+allow sandbox_x_domain self:shm create_shm_perms;
494f21
+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
494f21
+allow sandbox_x_domain self:unix_dgram_socket create_socket_perms;
494f21
+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
494f21
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
494f21
+
494f21
+dev_read_urand(sandbox_x_domain)
494f21
+dev_dontaudit_read_rand(sandbox_x_domain)
494f21
+
494f21
+files_read_etc_files(sandbox_x_domain)
494f21
+files_read_usr_files(sandbox_x_domain)
494f21
+files_read_usr_symlinks(sandbox_x_domain)
494f21
+
494f21
+fs_getattr_tmpfs(sandbox_x_domain)
494f21
+fs_getattr_xattr_fs(sandbox_x_domain)
494f21
+
494f21
+auth_dontaudit_read_login_records(sandbox_x_domain)
494f21
+
494f21
+init_read_utmp(sandbox_x_domain)
494f21
+
494f21
+term_getattr_pty_fs(sandbox_x_domain)
494f21
+term_use_ptmx(sandbox_x_domain)
494f21
+
494f21
+logging_send_syslog_msg(sandbox_x_domain)
494f21
+
494f21
+miscfiles_read_fonts(sandbox_x_domain)
494f21
+
494f21
+optional_policy(`
494f21
+	gnome_read_gconf_config(sandbox_x_domain)
494f21
+')
494f21
+
494f21
+optional_policy(`
494f21
+	cups_stream_connect(sandbox_x_domain)
494f21
+	cups_read_rw_config(sandbox_x_domain)
494f21
+')
494f21
+
494f21
+########################################
494f21
+#
494f21
+# sandbox_x_client_t local policy
494f21
+#
494f21
+allow sandbox_x_client_t self:tcp_socket create_socket_perms;
494f21
+allow sandbox_x_client_t self:udp_socket create_socket_perms;
494f21
+allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
494f21
+allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
494f21
+
494f21
+dev_read_rand(sandbox_x_client_t)
494f21
+
494f21
+corenet_tcp_connect_ipp_port(sandbox_x_client_t)
070ff2
+
494f21
+auth_use_nsswitch(sandbox_x_client_t)
494f21
+
494f21
+dbus_system_bus_client(sandbox_x_client_t)
494f21
+dbus_read_config(sandbox_x_client_t)
494f21
+selinux_get_fs_mount(sandbox_x_client_t)
494f21
+selinux_validate_context(sandbox_x_client_t)
494f21
+selinux_compute_access_vector(sandbox_x_client_t)
494f21
+selinux_compute_create_context(sandbox_x_client_t)
494f21
+selinux_compute_relabel_context(sandbox_x_client_t)
494f21
+selinux_compute_user_contexts(sandbox_x_client_t)
494f21
+seutil_read_default_contexts(sandbox_x_client_t)
494f21
+
494f21
+optional_policy(`
494f21
+	hal_dbus_chat(sandbox_x_client_t)
494f21
+')
494f21
+
494f21
+########################################
494f21
+#
494f21
+# sandbox_web_client_t local policy
494f21
+#
494f21
+allow sandbox_web_client_t self:capability { setuid setgid };
494f21
+allow sandbox_web_client_t self:netlink_audit_socket nlmsg_relay;
494f21
+allow sandbox_web_client_t self:process setsched;
494f21
+
494f21
+allow sandbox_web_client_t self:tcp_socket create_socket_perms;
494f21
+allow sandbox_web_client_t self:udp_socket create_socket_perms;
494f21
+allow sandbox_web_client_t self:dbus { acquire_svc send_msg };
494f21
+allow sandbox_web_client_t self:netlink_selinux_socket create_socket_perms;
494f21
+
494f21
+dev_read_rand(sandbox_web_client_t)
494f21
+
494f21
+# Browse the web, connect to printer
494f21
+corenet_all_recvfrom_unlabeled(sandbox_web_client_t)
494f21
+corenet_all_recvfrom_netlabel(sandbox_web_client_t)
494f21
+corenet_tcp_sendrecv_generic_if(sandbox_web_client_t)
494f21
+corenet_raw_sendrecv_generic_if(sandbox_web_client_t)
494f21
+corenet_tcp_sendrecv_generic_node(sandbox_web_client_t)
494f21
+corenet_raw_sendrecv_generic_node(sandbox_web_client_t)
494f21
+corenet_tcp_sendrecv_http_port(sandbox_web_client_t)
494f21
+corenet_tcp_sendrecv_http_cache_port(sandbox_web_client_t)
494f21
+corenet_tcp_sendrecv_ftp_port(sandbox_web_client_t)
494f21
+corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t)
494f21
+corenet_tcp_connect_http_port(sandbox_web_client_t)
494f21
+corenet_tcp_connect_http_cache_port(sandbox_web_client_t)
494f21
+corenet_tcp_connect_ftp_port(sandbox_web_client_t)
494f21
+corenet_tcp_connect_ipp_port(sandbox_web_client_t)
494f21
+corenet_tcp_connect_generic_port(sandbox_web_client_t)
494f21
+corenet_sendrecv_http_client_packets(sandbox_web_client_t)
494f21
+corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t)
494f21
+corenet_sendrecv_ftp_client_packets(sandbox_web_client_t)
494f21
+corenet_sendrecv_ipp_client_packets(sandbox_web_client_t)
494f21
+corenet_sendrecv_generic_client_packets(sandbox_web_client_t)
494f21
+# Should not need other ports
494f21
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t)
494f21
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
494f21
+corenet_tcp_connect_speech_port(sandbox_web_client_t)
494f21
+
494f21
+auth_use_nsswitch(sandbox_web_client_t)
494f21
+
494f21
+dbus_system_bus_client(sandbox_web_client_t)
494f21
+dbus_read_config(sandbox_web_client_t)
494f21
+selinux_get_fs_mount(sandbox_web_client_t)
494f21
+selinux_validate_context(sandbox_web_client_t)
494f21
+selinux_compute_access_vector(sandbox_web_client_t)
494f21
+selinux_compute_create_context(sandbox_web_client_t)
494f21
+selinux_compute_relabel_context(sandbox_web_client_t)
494f21
+selinux_compute_user_contexts(sandbox_web_client_t)
494f21
+seutil_read_default_contexts(sandbox_web_client_t)
494f21
+
494f21
+optional_policy(`
494f21
+	nsplugin_read_rw_files(sandbox_web_client_t)
494f21
+	nsplugin_rw_exec(sandbox_web_client_t)
494f21
+')
494f21
+
494f21
+optional_policy(`
494f21
+	hal_dbus_chat(sandbox_web_client_t)
494f21
+')
494f21
+
494f21
+########################################
494f21
+#
494f21
+# sandbox_net_client_t local policy
494f21
+#
494f21
+allow sandbox_net_client_t self:tcp_socket create_socket_perms;
494f21
+allow sandbox_net_client_t self:udp_socket create_socket_perms;
494f21
+allow sandbox_net_client_t self:dbus { acquire_svc send_msg };
494f21
+allow sandbox_net_client_t self:netlink_selinux_socket create_socket_perms;
494f21
+
494f21
+dev_read_rand(sandbox_net_client_t)
494f21
 
494f21
-manage_dirs_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
494f21
-manage_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
494f21
-manage_lnk_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
494f21
-manage_fifo_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
494f21
-manage_sock_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
494f21
+corenet_all_recvfrom_unlabeled(sandbox_net_client_t)
494f21
+corenet_all_recvfrom_netlabel(sandbox_net_client_t)
494f21
+corenet_tcp_sendrecv_generic_if(sandbox_net_client_t)
494f21
+corenet_udp_sendrecv_generic_if(sandbox_net_client_t)
494f21
+corenet_tcp_sendrecv_generic_node(sandbox_net_client_t)
494f21
+corenet_udp_sendrecv_generic_node(sandbox_net_client_t)
494f21
+corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
494f21
+corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
494f21
+corenet_tcp_connect_all_ports(sandbox_net_client_t)
494f21
+corenet_sendrecv_all_client_packets(sandbox_net_client_t)
494f21
 
494f21
-files_rw_all_inherited_files(sandbox_t)
494f21
-files_entrypoint_all_files(sandbox_t)
494f21
+auth_use_nsswitch(sandbox_net_client_t)
494f21
 
494f21
-libs_use_ld_so(sandbox_t)
494f21
-libs_use_shared_libs(sandbox_t)
494f21
+dbus_system_bus_client(sandbox_net_client_t)
494f21
+dbus_read_config(sandbox_net_client_t)
494f21
+selinux_get_fs_mount(sandbox_net_client_t)
494f21
+selinux_validate_context(sandbox_net_client_t)
494f21
+selinux_compute_access_vector(sandbox_net_client_t)
494f21
+selinux_compute_create_context(sandbox_net_client_t)
494f21
+selinux_compute_relabel_context(sandbox_net_client_t)
494f21
+selinux_compute_user_contexts(sandbox_net_client_t)
494f21
+seutil_read_default_contexts(sandbox_net_client_t)
494f21
 
494f21
-miscfiles_read_localization(sandbox_t)
494f21
+optional_policy(`
494f21
+	nsplugin_read_rw_files(sandbox_web_client_t)
494f21
+	nsplugin_rw_exec(sandbox_web_client_t)
494f21
+')
494f21
 
494f21
-userdom_use_user_ptys(sandbox_t)
494f21
+optional_policy(`
494f21
+	hal_dbus_chat(sandbox_net_client_t)
494f21
+')
23ec6c
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.12/policy/modules/apps/screen.if
573403
--- nsaserefpolicy/policy/modules/apps/screen.if	2010-01-19 12:51:11.958618556 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/screen.if	2010-01-19 12:51:30.716619663 +0100
23ec6c
@@ -62,6 +62,7 @@
23ec6c
 	manage_dirs_pattern($1_screen_t, screen_dir_t, screen_dir_t)
23ec6c
 	filetrans_pattern($1_screen_t, screen_dir_t, screen_var_run_t, fifo_file)
23ec6c
 	files_pid_filetrans($1_screen_t, screen_dir_t, dir)
23ec6c
+	dontaudit $3 screen_var_run_t:fifo_file read;
23ec6c
 
23ec6c
 	allow $1_screen_t screen_home_t:dir list_dir_perms;
23ec6c
 	read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
573403
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.6.12/policy/modules/apps/slocate.te
573403
--- nsaserefpolicy/policy/modules/apps/slocate.te	2009-04-07 21:54:49.000000000 +0200
573403
+++ serefpolicy-3.6.12/policy/modules/apps/slocate.te	2010-01-19 13:02:01.591608019 +0100
573403
@@ -50,6 +50,7 @@
573403
 fs_getattr_all_symlinks(locate_t)
573403
 fs_list_all(locate_t)
573403
 fs_list_inotifyfs(locate_t)
573403
+fs_read_noxattr_fs_symlinks(locate_t)
573403
 
573403
 # getpwnam
573403
 auth_use_nsswitch(locate_t)
2eeb52
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.12/policy/modules/apps/vmware.fc
26b349
--- nsaserefpolicy/policy/modules/apps/vmware.fc	2009-04-07 21:54:49.000000000 +0200
573403
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.fc	2010-01-19 12:51:30.717611828 +0100
2eeb52
@@ -63,6 +63,7 @@
2eeb52
 ')
2eeb52
 
2eeb52
 /var/log/vmware.* 		--	gen_context(system_u:object_r:vmware_log_t,s0)
2eeb52
+/var/log/vnetlib.*		--	gen_context(system_u:object_r:vmware_log_t,s0)
2eeb52
 
2eeb52
 /var/run/vmnat.* 		-s	gen_context(system_u:object_r:vmware_var_run_t,s0)
2eeb52
 /var/run/vmware.* 			gen_context(system_u:object_r:vmware_var_run_t,s0)
2463bf
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.12/policy/modules/apps/vmware.te
573403
--- nsaserefpolicy/policy/modules/apps/vmware.te	2010-01-19 12:51:11.961607624 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.te	2010-01-19 12:51:30.718618032 +0100
2463bf
@@ -136,7 +136,7 @@
2463bf
 
2463bf
 miscfiles_read_localization(vmware_host_t)
2463bf
 
2463bf
-sysnet_dns_name_resolve(vmware_host_t)
2463bf
+auth_use_nsswitch(vmware_host_t)
2463bf
 
2463bf
 storage_getattr_fixed_disk_dev(vmware_host_t)
2463bf
 
2463bf
@@ -160,6 +160,10 @@
2463bf
         xserver_common_app(vmware_host_t)
2463bf
 ')
2463bf
 
2463bf
+optional_policy(`
2463bf
+	unconfined_domain(vmware_host_t)
2463bf
+	unconfined_domain(vmware_t)
2463bf
+')
2463bf
 
2463bf
 ifdef(`TODO',`
2463bf
 # VMWare need access to pcmcia devices for network
036370
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
573403
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2010-01-19 12:51:11.965616444 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc	2010-01-19 12:51:30.719617600 +0100
c7eb8b
@@ -7,6 +7,7 @@
036370
 /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
036370
 /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
036370
 /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
036370
+/bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
036370
 /bin/ksh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
036370
 /bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
036370
 /bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
c7eb8b
@@ -69,6 +70,8 @@
e6583a
 /etc/ppp/ipv6-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
e6583a
 /etc/ppp/ipv6-down\..*		--	gen_context(system_u:object_r:bin_t,s0)
e6583a
 
e6583a
+/etc/racoon/scripts(/.*)?  		gen_context(system_u:object_r:bin_t,s0)
e6583a
+
e6583a
 /etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)
e6583a
 
e6583a
 /etc/security/namespace.init    --      gen_context(system_u:object_r:bin_t,s0)
c7eb8b
@@ -119,6 +122,7 @@
c7eb8b
 /sbin/.*				gen_context(system_u:object_r:bin_t,s0)
c7eb8b
 /sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
c7eb8b
 /sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
c7eb8b
+/sbin/nologin                   --      gen_context(system_u:object_r:shell_exec_t,s0)
c7eb8b
 
c7eb8b
 #
c7eb8b
 # /opt
674dfa
@@ -145,6 +149,7 @@
036370
 /usr/(.*/)?Bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
036370
 /usr/(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
036370
 /usr/bin/git-shell		--	gen_context(system_u:object_r:shell_exec_t,s0)
036370
+/usr/bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
036370
 /usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
036370
 
036370
 /usr/lib(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
674dfa
@@ -217,8 +222,11 @@
70a0fb
 /usr/share/PackageKit/pk-upgrade-distro\.sh -- 	gen_context(system_u:object_r:bin_t,s0)
70a0fb
 /usr/share/PackageKit/helpers(/.*)?	gen_context(system_u:object_r:bin_t,s0)
70a0fb
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
70a0fb
+/usr/share/shorewall/configpath	--      gen_context(system_u:object_r:bin_t,s0)
70a0fb
+/usr/share/shorewall-perl(/.*)?	        gen_context(system_u:object_r:bin_t,s0)
70a0fb
 /usr/share/shorewall-shell(/.*)?        gen_context(system_u:object_r:bin_t,s0)
70a0fb
-/usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
70a0fb
+/usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
70a0fb
+/usr/share/shorewall6-lite(/.*)?        gen_context(system_u:object_r:bin_t,s0)
70a0fb
 
70a0fb
 /usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
70a0fb
 
df3711
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in
df3711
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2010-01-19 12:51:11.968607327 +0100
df3711
+++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in	2010-02-15 11:55:04.801319350 +0100
df3711
@@ -1703,6 +1703,24 @@
df3711
 	allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
df3711
 ')
df3711
 
df3711
+#######################################
df3711
+## <summary>
df3711
+## Dontaudit read and write the TUN/TAP virtual network device.
df3711
+## </summary>
df3711
+## <param name="domain">
df3711
+## <summary>
df3711
+## The domain allowed access.
df3711
+## </summary>
df3711
+## </param>
df3711
+#
df3711
+interface(`corenet_dontaudit_rw_tun_tap_dev',`
df3711
+	gen_require(`
df3711
+		type tun_tap_device_t;
df3711
+	')
df3711
+
df3711
+	dontaudit $1 tun_tap_device_t:chr_file { read write };
df3711
+')
df3711
+
df3711
 ########################################
df3711
 ## <summary>
df3711
 ##	Getattr the point-to-point device.
00eb02
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in
573403
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2010-01-19 12:51:11.969607384 +0100
41c9b1
+++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in	2010-04-27 12:15:33.412147158 +0200
674dfa
@@ -107,6 +107,7 @@
674dfa
 network_port(giftd, tcp,1213,s0)
674dfa
 network_port(gopher, tcp,70,s0, udp,70,s0)
674dfa
 network_port(gpsd,tcp,2947,s0)
674dfa
+network_port(hddtemp, tcp,7634,s0)
674dfa
 network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
674dfa
 portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0)
674dfa
 network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
674dfa
@@ -116,7 +117,7 @@
68fb38
 network_port(imaze, tcp,5323,s0, udp,5323,s0)
68fb38
 network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
68fb38
 network_port(innd, tcp,119,s0)
68fb38
-network_port(ipp, tcp,631,s0, udp,631,s0)
68fb38
+network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8611,s0, udp,8611,s0)
68fb38
 network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
68fb38
 network_port(ircd, tcp,6667,s0)
68fb38
 network_port(ipmi, udp,623,s0, udp,664,s0)
41c9b1
@@ -133,8 +134,9 @@
41c9b1
 network_port(ktalkd, udp,517,s0, udp,518,s0)
00eb02
 network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
00eb02
 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
41c9b1
+network_port(lirc, tcp,8765,s0)
00eb02
 network_port(lmtp, tcp,24,s0, udp,24,s0)
00eb02
-network_port(mail, tcp,2000,s0)
00eb02
+network_port(mail, tcp,2000,s0, tcp,3905,s0)
00eb02
 network_port(memcache, tcp,11211,s0, udp,11211,s0)
00eb02
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
00eb02
 network_port(monopd, tcp,1234,s0)
036370
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.12/policy/modules/kernel/devices.fc
573403
--- nsaserefpolicy/policy/modules/kernel/devices.fc	2010-01-19 12:51:11.970607302 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.fc	2010-01-19 12:51:30.721620159 +0100
e6583a
@@ -46,8 +46,10 @@
e6583a
 /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
e6583a
 /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
036370
 /dev/kqemu		-c	gen_context(system_u:object_r:qemu_device_t,s0)
e6583a
+/dev/ksm		-c	gen_context(system_u:object_r:ksm_device_t,s0)
036370
 /dev/kvm		-c	gen_context(system_u:object_r:kvm_device_t,s0)
036370
 /dev/lik.*		-c	gen_context(system_u:object_r:event_device_t,s0)
036370
+/dev/lirc[0-9]+        -c      gen_context(system_u:object_r:lirc_device_t,s0)
036370
 /dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
036370
 /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
036370
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
1a663d
@@ -168,6 +170,7 @@
1a663d
 
1a663d
 ifdef(`distro_redhat',`
1a663d
 # originally from named.fc
1a663d
+/var/named/chroot/dev 		-d 	gen_context(system_u:object_r:device_t,s0)
1a663d
 /var/named/chroot/dev/null -c	gen_context(system_u:object_r:null_device_t,s0)
1a663d
 /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
1a663d
 /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
036370
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if
573403
--- nsaserefpolicy/policy/modules/kernel/devices.if	2010-01-19 12:51:11.972607417 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if	2010-01-19 12:51:30.724607969 +0100
e6583a
@@ -1727,6 +1727,133 @@
036370
 
e6583a
 ########################################
e6583a
 ## <summary>
e6583a
+##	Get the attributes of the ksm devices.
e6583a
+## </summary>
e6583a
+## <param name="domain">
e6583a
+##	<summary>
e6583a
+##	Domain allowed access.
e6583a
+##	</summary>
e6583a
+## </param>
e6583a
+#
e6583a
+interface(`dev_getattr_ksm_dev',`
e6583a
+	gen_require(`
e6583a
+		type device_t, ksm_device_t;
e6583a
+	')
e6583a
+
e6583a
+	getattr_chr_files_pattern($1, device_t, ksm_device_t)
e6583a
+')
e6583a
+
e6583a
+########################################
e6583a
+## <summary>
e6583a
+##	Set the attributes of the ksm devices.
e6583a
+## </summary>
e6583a
+## <param name="domain">
e6583a
+##	<summary>
e6583a
+##	Domain allowed access.
e6583a
+##	</summary>
e6583a
+## </param>
e6583a
+#
e6583a
+interface(`dev_setattr_ksm_dev',`
e6583a
+	gen_require(`
e6583a
+		type device_t, ksm_device_t;
e6583a
+	')
e6583a
+
e6583a
+	setattr_chr_files_pattern($1, device_t, ksm_device_t)
e6583a
+')
e6583a
+
e6583a
+########################################
e6583a
+## <summary>
e6583a
+##	Read the ksm devices.
e6583a
+## </summary>
e6583a
+## <param name="domain">
e6583a
+##	<summary>
e6583a
+##	Domain allowed access.
e6583a
+##	</summary>
e6583a
+## </param>
e6583a
+#
e6583a
+interface(`dev_read_ksm',`
e6583a
+	gen_require(`
e6583a
+		type device_t, ksm_device_t;
e6583a
+	')
e6583a
+
e6583a
+	read_chr_files_pattern($1, device_t, ksm_device_t)
e6583a
+')
e6583a
+
e6583a
+########################################
e6583a
+## <summary>
e6583a
+##      Read and write to ksm devices.
e6583a
+## </summary>
e6583a
+## <param name="domain">
e6583a
+##	<summary>
e6583a
+##      Domain allowed access.
e6583a
+##	</summary>
e6583a
+## </param>
e6583a
+#
e6583a
+interface(`dev_rw_ksm',`
e6583a
+	gen_require(`
e6583a
+		type device_t, ksm_device_t;
e6583a
+	')
e6583a
+
e6583a
+	rw_chr_files_pattern($1, device_t, ksm_device_t)
e6583a
+')
e6583a
+
036370
+######################################
036370
+## <summary>
036370
+##      Read the lirc device.
036370
+## </summary>
036370
+## <param name="domain">
036370
+##      <summary>
036370
+##      Domain allowed access.
036370
+##      </summary>
036370
+## </param>
036370
+#
036370
+interface(`dev_read_lirc',`
036370
+        gen_require(`
036370
+                type device_t, lirc_device_t;
036370
+        ')
036370
+
036370
+        read_chr_files_pattern($1, device_t, lirc_device_t)
036370
+')
036370
+
036370
+######################################
036370
+## <summary>
036370
+##      Read and write the lirc device.
036370
+## </summary>
036370
+## <param name="domain">
036370
+##      <summary>
036370
+##      Domain allowed access.
036370
+##      </summary>
036370
+## </param>
036370
+#
036370
+interface(`dev_rw_lirc',`
036370
+        gen_require(`
036370
+                type device_t, lirc_device_t;
036370
+        ')
036370
+
036370
+        rw_chr_files_pattern($1, device_t, lirc_device_t)
036370
+')
036370
+
036370
+######################################
036370
+## <summary>
036370
+##      Automatic type transition to the type
036370
+##      for lirc device nodes when created in /dev.
036370
+## </summary>
036370
+## <param name="domain">
036370
+##      <summary>
036370
+##      Domain allowed access.
036370
+##      </summary>
036370
+## </param>
036370
+#
036370
+interface(`dev_filetrans_lirc',`
036370
+        gen_require(`
036370
+                type device_t, lirc_device_t;
036370
+        ')
036370
+
036370
+        filetrans_pattern($1, device_t, lirc_device_t, chr_file)
036370
+')
036370
+
e6583a
+########################################
e6583a
+## <summary>
036370
 ##	Read the lvm comtrol device.
e6583a
 ## </summary>
e6583a
 ## <param name="domain">
be2bab
@@ -3780,3 +3907,21 @@
be2bab
 
be2bab
 	typeattribute $1 devices_unconfined_type;
be2bab
 ')
be2bab
+
be2bab
+######################################
be2bab
+## <summary>
be2bab
+##      Set the attributes of the tty device
be2bab
+## </summary>
be2bab
+## <param name="domain">
be2bab
+##      <summary>
be2bab
+##      Domain allowed access.
be2bab
+##      </summary>
be2bab
+## </param>
be2bab
+#
be2bab
+interface(`dev_setattr_tty',`
be2bab
+       gen_require(`
be2bab
+               type devtty_t;
be2bab
+       ')
be2bab
+
be2bab
+       setattr_chr_files_pattern($1, devtty_t, devtty_t)
be2bab
+')
036370
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.12/policy/modules/kernel/devices.te
573403
--- nsaserefpolicy/policy/modules/kernel/devices.te	2010-01-19 12:51:11.973618649 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.te	2010-01-19 12:51:30.726608294 +0100
e6583a
@@ -78,6 +78,13 @@
e6583a
 dev_node(ipmi_device_t)
e6583a
 
e6583a
 #
e6583a
+# ksm_device_t is the type of
e6583a
+# /dev/ksm
e6583a
+#
e6583a
+type ksm_device_t;
e6583a
+dev_node(ksm_device_t)
e6583a
+
e6583a
+#
e6583a
 # Type for /dev/kmsg
e6583a
 #
e6583a
 type kmsg_device_t;
e6583a
@@ -91,6 +98,12 @@
036370
 dev_node(kvm_device_t)
036370
 
036370
 #
036370
+# Type for /dev/lirc
036370
+#
036370
+type lirc_device_t;
036370
+dev_node(lirc_device_t)
036370
+
036370
+#
036370
 # Type for /dev/mapper/control
036370
 #
036370
 type lvm_control_t;
60c6cb
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
573403
--- nsaserefpolicy/policy/modules/kernel/domain.if	2010-01-19 12:51:11.977607704 +0100
573403
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if	2010-01-19 12:51:30.727618199 +0100
a0a290
@@ -44,34 +44,6 @@
a0a290
 interface(`domain_type',`
a0a290
 	# start with basic domain
a0a290
 	domain_base_type($1)
a0a290
-
a0a290
-	ifdef(`distro_redhat',`
a0a290
-		optional_policy(`
a0a290
-			unconfined_use_fds($1)
a0a290
-		')
a0a290
-	')
a0a290
-
a0a290
-	# send init a sigchld and signull
a0a290
-	optional_policy(`
a0a290
-		init_sigchld($1)
a0a290
-		init_signull($1)