9eefb8
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.6.12/man/man8/samba_selinux.8
9eefb8
--- nsaserefpolicy/man/man8/samba_selinux.8	2009-04-07 21:54:45.000000000 +0200
9eefb8
+++ serefpolicy-3.6.12/man/man8/samba_selinux.8	2009-08-19 18:01:06.000000000 +0200
9eefb8
@@ -20,7 +20,7 @@
9eefb8
 .TP
9eefb8
 This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
9eefb8
 .TP
9eefb8
-/var/eng(/.*)? system_u:object_r:samba_share_t
9eefb8
+/var/eng(/.*)? system_u:object_r:samba_share_t:s0
9eefb8
 .TP
9eefb8
 Run the restorecon command to apply the changes:
9eefb8
 .TP
9eefb8
@@ -53,4 +53,4 @@
9eefb8
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
9eefb8
 
9eefb8
 .SH "SEE ALSO"
9eefb8
-selinux(8), samba(7), chcon(1), setsebool(8)
9eefb8
+selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)
ce3d03
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.12/policy/mcs
26b349
--- nsaserefpolicy/policy/mcs	2009-06-25 10:19:43.000000000 +0200
7b4c69
+++ serefpolicy-3.6.12/policy/mcs	2009-07-08 21:09:33.000000000 +0200
ce3d03
@@ -66,7 +66,7 @@
ce3d03
 #
ce3d03
 # Note that getattr on files is always permitted.
ce3d03
 #
ce3d03
-mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
7b4c69
+mlsconstrain { file chr_file blk_file lnk_file } { write setattr append unlink link rename ioctl lock execute relabelfrom }
ce3d03
 	(( h1 dom h2 ) or ( t1 == mlsfilewrite ));
ce3d03
 
ce3d03
 mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
ce3d03
@@ -111,22 +111,22 @@
ce3d03
 	(( h1 dom h2 ) and ( l2 eq h2 ));
ce3d03
 
ce3d03
 # Access control for any database objects based on MCS rules.
ce3d03
-mlsconstrain db_database { drop setattr relabelfrom access install_module load_module get_param set_param }
ce3d03
+mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
ce3d03
 	( h1 dom h2 );
ce3d03
 
ce3d03
-mlsconstrain db_table { drop setattr relabelfrom select update insert delete use }
ce3d03
+mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
ce3d03
 	( h1 dom h2 );
ce3d03
 
ce3d03
-mlsconstrain db_column { drop setattr relabelfrom select update insert use }
ce3d03
+mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
ce3d03
 	( h1 dom h2 );
ce3d03
 
ce3d03
 mlsconstrain db_tuple { relabelfrom select update delete use }
ce3d03
 	( h1 dom h2 );
ce3d03
 
ce3d03
-mlsconstrain db_procedure { execute install }
ce3d03
+mlsconstrain db_procedure { drop getattr setattr execute install }
ce3d03
 	( h1 dom h2 );
ce3d03
 
ce3d03
-mlsconstrain db_blob { drop setattr relabelfrom read write }
ce3d03
+mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
ce3d03
 	( h1 dom h2 );
ce3d03
 
ce3d03
 ') dnl end enable_mcs
26614e
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.12/policy/modules/admin/certwatch.te
26b349
--- nsaserefpolicy/policy/modules/admin/certwatch.te	2009-06-25 10:19:43.000000000 +0200
26b349
+++ serefpolicy-3.6.12/policy/modules/admin/certwatch.te	2009-06-25 10:21:01.000000000 +0200
26614e
@@ -1,5 +1,5 @@
26614e
 
26614e
-policy_module(certwatch, 1.3.0)
26614e
+policy_module(certwatch, 1.3.1)
26614e
 
26614e
 ########################################
26614e
 #
26614e
@@ -28,7 +28,7 @@
26614e
 fs_list_inotifyfs(certwatch_t)
26614e
 
26614e
 auth_manage_cache(certwatch_t)
26614e
-auth_filetrans_cache(certwatch_t)
26614e
+auth_var_filetrans_cache(certwatch_t)
26614e
 
26614e
 logging_send_syslog_msg(certwatch_t)
26614e
 
d9ce44
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.12/policy/modules/admin/kismet.te
d9ce44
--- nsaserefpolicy/policy/modules/admin/kismet.te	2009-06-25 10:19:43.000000000 +0200
d9ce44
+++ serefpolicy-3.6.12/policy/modules/admin/kismet.te	2009-07-07 08:55:43.000000000 +0200
d9ce44
@@ -23,6 +23,9 @@
d9ce44
 type kismet_var_lib_t;
d9ce44
 files_type(kismet_var_lib_t)
d9ce44
 
d9ce44
+type kismet_tmpfs_t;
d9ce44
+files_tmp_file(kismet_tmpfs_t)
d9ce44
+
d9ce44
 ########################################
d9ce44
 #
d9ce44
 # kismet local policy
d9ce44
@@ -44,6 +47,10 @@
d9ce44
 manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
d9ce44
 files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir })
d9ce44
 
d9ce44
+manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
d9ce44
+manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
d9ce44
+fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, file)
d9ce44
+
d9ce44
 allow kismet_t kismet_var_lib_t:file manage_file_perms;
d9ce44
 allow kismet_t kismet_var_lib_t:dir manage_dir_perms;
d9ce44
 files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir })
d9ce44
@@ -53,6 +60,7 @@
d9ce44
 files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
d9ce44
 
d9ce44
 kernel_search_debugfs(kismet_t)
d9ce44
+kernel_read_system_state(kismet_t)
d9ce44
 
d9ce44
 corecmd_exec_bin(kismet_t)
d9ce44
 
d9ce44
@@ -75,3 +83,11 @@
d9ce44
 
d9ce44
 userdom_use_user_terminals(kismet_t)
d9ce44
 userdom_read_user_tmpfs_files(kismet_t)
d9ce44
+
d9ce44
+optional_policy(`
d9ce44
+        dbus_system_bus_client(kismet_t)
d9ce44
+
d9ce44
+        optional_policy(`
d9ce44
+                networkmanager_dbus_chat(kismet_t)
d9ce44
+        ')
d9ce44
+')
832e49
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.12/policy/modules/admin/logrotate.te
832e49
--- nsaserefpolicy/policy/modules/admin/logrotate.te	2009-06-25 10:19:43.000000000 +0200
70ed45
+++ serefpolicy-3.6.12/policy/modules/admin/logrotate.te	2009-07-28 16:09:42.000000000 +0200
70ed45
@@ -32,7 +32,7 @@
70ed45
 # Change ownership on log files.
70ed45
 allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
70ed45
 # for mailx
70ed45
-dontaudit logrotate_t self:capability { setuid setgid };
70ed45
+dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
70ed45
 
70ed45
 allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
70ed45
 
832e49
@@ -188,6 +188,10 @@
832e49
 ')
832e49
 
832e49
 optional_policy(`
832e49
+	psad_domtrans(logrotate_t)
832e49
+')  
832e49
+
832e49
+optional_policy(`
832e49
 	slrnpull_manage_spool(logrotate_t)
832e49
 ')
832e49
 
832e49
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.12/policy/modules/admin/mrtg.te
832e49
--- nsaserefpolicy/policy/modules/admin/mrtg.te	2009-06-25 10:19:43.000000000 +0200
674dfa
+++ serefpolicy-3.6.12/policy/modules/admin/mrtg.te	2009-08-13 08:59:23.000000000 +0200
674dfa
@@ -136,10 +136,18 @@
674dfa
 ')
674dfa
 
674dfa
 optional_policy(`
674dfa
+        hddtemp_domtrans(mrtg_t)
674dfa
+')
674dfa
+
674dfa
+optional_policy(`
674dfa
 	hostname_exec(mrtg_t)
832e49
 ')
832e49
 
832e49
 optional_policy(`
832e49
+	netutils_domtrans_ping(mrtg_t)
832e49
+')
832e49
+
832e49
+optional_policy(`
832e49
 	seutil_sigchld_newrole(mrtg_t)
832e49
 ')
832e49
 
036370
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te
26b349
--- nsaserefpolicy/policy/modules/admin/prelink.te	2009-06-25 10:19:43.000000000 +0200
26b349
+++ serefpolicy-3.6.12/policy/modules/admin/prelink.te	2009-06-25 10:21:01.000000000 +0200
c556bd
@@ -68,10 +68,11 @@
c556bd
 files_list_all(prelink_t)
c556bd
 files_getattr_all_files(prelink_t)
c556bd
 files_write_non_security_dirs(prelink_t)
c556bd
-files_read_etc_files(prelink_t)
c556bd
-files_read_etc_runtime_files(prelink_t)
c556bd
+auth_read_all_files_except_shadow(prelink_t)
036370
 files_dontaudit_read_all_symlinks(prelink_t)
036370
 files_manage_usr_files(prelink_t)
036370
+# Delta RPMS
036370
+files_manage_var_files(prelink_t)
036370
 files_relabelfrom_usr_files(prelink_t)
036370
 
036370
 fs_getattr_xattr_fs(prelink_t)
c556bd
@@ -102,5 +103,9 @@
036370
 ')
036370
 
036370
 optional_policy(`
036370
+	rpm_manage_tmp_files(prelink_t)
036370
+')
036370
+
036370
+optional_policy(`
036370
 	unconfined_domain(prelink_t)
036370
 ')
e6583a
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
26b349
--- nsaserefpolicy/policy/modules/admin/readahead.te	2009-06-25 10:19:43.000000000 +0200
23ec6c
+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te	2009-08-05 21:59:03.000000000 +0200
186c59
@@ -50,11 +50,13 @@
186c59
 domain_use_interactive_fds(readahead_t)
186c59
 domain_read_all_domains_state(readahead_t)
186c59
 
186c59
+files_getattr_all_pipes(readahead_t)  
186c59
 files_dontaudit_getattr_all_sockets(readahead_t)
186c59
 files_list_non_security(readahead_t)
e6583a
 files_read_non_security_files(readahead_t)
e6583a
 files_dontaudit_read_security_files(readahead_t)
e6583a
 files_dontaudit_getattr_non_security_blk_files(readahead_t)
e6583a
+files_create_boot_flag(readahead_t)
e6583a
 
e6583a
 fs_getattr_all_fs(readahead_t)
e6583a
 fs_search_auto_mountpoints(readahead_t)
d92107
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.12/policy/modules/admin/rpm.fc
d92107
--- nsaserefpolicy/policy/modules/admin/rpm.fc	2009-06-25 10:19:43.000000000 +0200
d92107
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.fc	2009-09-02 13:11:37.000000000 +0200
d92107
@@ -1,5 +1,6 @@
d92107
 
d92107
 /bin/rpm 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
d92107
+/usr/bin/rpm                    --      gen_context(system_u:object_r:rpm_exec_t,s0)
d92107
 /usr/bin/smart 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
d92107
 
d92107
 /usr/bin/yum 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
036370
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if
26b349
--- nsaserefpolicy/policy/modules/admin/rpm.if	2009-06-25 10:19:43.000000000 +0200
d92107
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.if	2009-09-02 11:03:37.000000000 +0200
036370
@@ -470,6 +470,24 @@
036370
 
036370
 ########################################
036370
 ## <summary>
036370
+##	Manage RPM tmp files
036370
+## </summary>
036370
+## <param name="domain">
036370
+##	<summary>
036370
+##	Domain to not audit.
036370
+##	</summary>
036370
+## </param>
036370
+#
036370
+interface(`rpm_manage_tmp_files',`
036370
+	gen_require(`
036370
+		type rpm_tmp_t;
036370
+	')
036370
+
036370
+	manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
036370
+')
036370
+
036370
+########################################
036370
+## <summary>
036370
 ##	Do not audit attempts to read, 
036370
 ##	write RPM tmp files
036370
 ## </summary>
d92107
@@ -569,3 +587,31 @@
d92107
 	allow $1 rpm_t:process signull;
d92107
 ')
d92107
 
d92107
+########################################
d92107
+## <summary>
d92107
+##	dontaudit read and write an leaked file descriptors
d92107
+## </summary>
d92107
+## <param name="domain">
d92107
+##	<summary>
d92107
+##	The type of the process performing this action.
d92107
+##	</summary>
d92107
+## </param>
d92107
+#
d92107
+interface(`rpm_dontaudit_leaks',`
d92107
+	gen_require(`
d92107
+		type rpm_t;
d92107
+		type rpm_script_t;
d92107
+		type rpm_var_run_t;
d92107
+		type rpm_tmp_t;
d92107
+		type rpm_tmpfs_t;
d92107
+	')
d92107
+
d92107
+	dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
d92107
+	dontaudit $1 rpm_script_t:fd use;
d92107
+	dontaudit $1 rpm_script_t:fifo_file rw_fifo_file_perms;
d92107
+	dontaudit $1 rpm_var_run_t:file write_file_perms;
d92107
+	dontaudit $1 rpm_tmp_t:file rw_file_perms;
d92107
+	dontaudit $1 rpm_t:shm rw_shm_perms;
d92107
+ 	dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
d92107
+ 	dontaudit $1 rpm_tmpfs_t:file write_file_perms;
d92107
+')
832e49
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.12/policy/modules/admin/rpm.te
832e49
--- nsaserefpolicy/policy/modules/admin/rpm.te	2009-06-25 10:19:43.000000000 +0200
832e49
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.te	2009-07-28 14:08:18.000000000 +0200
832e49
@@ -377,6 +377,10 @@
832e49
 ')
832e49
 
832e49
 optional_policy(`
832e49
+	mount_domtrans(rpm_script_t) 
832e49
+')
832e49
+
832e49
+optional_policy(`
832e49
 	tzdata_domtrans(rpm_t)
832e49
 	tzdata_domtrans(rpm_script_t)
832e49
 ')
f0110b
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.6.12/policy/modules/admin/shorewall.fc
f0110b
--- nsaserefpolicy/policy/modules/admin/shorewall.fc	1970-01-01 01:00:00.000000000 +0100
f0110b
+++ serefpolicy-3.6.12/policy/modules/admin/shorewall.fc	2009-06-25 10:21:01.000000000 +0200
f0110b
@@ -0,0 +1,12 @@
f0110b
+
f0110b
+/etc/rc\.d/init\.d/shorewall        	--      gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
f0110b
+/etc/rc\.d/init\.d/shorewall-lite       --      gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
f0110b
+
f0110b
+/etc/shorewall(/.*)?            		gen_context(system_u:object_r:shorewall_etc_t,s0)
f0110b
+/etc/shorewall-lite(/.*)?               	gen_context(system_u:object_r:shorewall_etc_t,s0)
f0110b
+
f0110b
+/sbin/shorewall				--	gen_context(system_u:object_r:shorewall_exec_t,s0)
f0110b
+/sbin/shorewall-lite			--      gen_context(system_u:object_r:shorewall_exec_t,s0)
f0110b
+
f0110b
+/var/lib/shorewall(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
f0110b
+/var/lib/shorewall-lite(/.*)?           	gen_context(system_u:object_r:shorewall_var_lib_t,s0)
f0110b
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.6.12/policy/modules/admin/shorewall.if
f0110b
--- nsaserefpolicy/policy/modules/admin/shorewall.if	1970-01-01 01:00:00.000000000 +0100
f0110b
+++ serefpolicy-3.6.12/policy/modules/admin/shorewall.if	2009-06-25 10:21:01.000000000 +0200
f0110b
@@ -0,0 +1,166 @@
f0110b
+## <summary>policy for shorewall</summary>
f0110b
+
f0110b
+########################################
f0110b
+## <summary>
f0110b
+##	Execute a domain transition to run shorewall.
f0110b
+## </summary>
f0110b
+## <param name="domain">
f0110b
+## <summary>
f0110b
+##	Domain allowed to transition.
f0110b
+## </summary>
f0110b
+## </param>
f0110b
+#
f0110b
+interface(`shorewall_domtrans',`
f0110b
+	gen_require(`
f0110b
+		type shorewall_t; 
f0110b
+		type shorewall_exec_t;
f0110b
+	')
f0110b
+
f0110b
+	domtrans_pattern($1, shorewall_exec_t, shorewall_t)
f0110b
+')
f0110b
+
f0110b
+#######################################
f0110b
+## <summary>
f0110b
+##      Read shorewall etc configuration files.
f0110b
+## </summary>
f0110b
+## <param name="domain">
f0110b
+##      <summary>
f0110b
+##      Domain allowed access.
f0110b
+##      </summary>
f0110b
+## </param>
f0110b
+#
f0110b
+interface(`shorewall_read_etc',`
f0110b
+        gen_require(`
f0110b
+                type shorewall_etc_t;
f0110b
+        ')
f0110b
+
f0110b
+        files_search_etc($1)
f0110b
+        read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
f0110b
+')
f0110b
+
f0110b
+#######################################
f0110b
+## <summary>
f0110b
+##      Read shorewall PID files.
f0110b
+## </summary>
f0110b
+## <param name="domain">
f0110b
+##      <summary>
f0110b
+##      Domain allowed access.
f0110b
+##      </summary>
f0110b
+## </param>
f0110b
+#
f0110b
+interface(`shorewall_read_pid_files',`
f0110b
+        gen_require(`
f0110b
+                type shorewall_var_run_t;
f0110b
+        ')
f0110b
+
f0110b
+        files_search_pids($1)
f0110b
+        read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
f0110b
+')
f0110b
+
f0110b
+#######################################
f0110b
+## <summary>
f0110b
+##      Read and write shorewall PID files.
f0110b
+## </summary>
f0110b
+## <param name="domain">
f0110b
+##      <summary>
f0110b
+##      Domain allowed access.
f0110b
+##      </summary>
f0110b
+## </param>
f0110b
+#
f0110b
+interface(`shorewall_rw_pid_files',`
f0110b
+        gen_require(`
f0110b
+                type shorewall_var_run_t;
f0110b
+        ')
f0110b
+
f0110b
+        files_search_pids($1)
f0110b
+        rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
f0110b
+')
f0110b
+
f0110b
+######################################
f0110b
+## <summary>
f0110b
+##      Read shorewall /var/lib files.
f0110b
+## </summary>
f0110b
+## <param name="domain">
f0110b
+##      <summary>
f0110b
+##      Domain allowed access.
f0110b
+##      </summary>
f0110b
+## </param>
f0110b
+#
f0110b
+interface(`shorewall_read_var_lib',`
f0110b
+        gen_require(`
f0110b
+                type shorewall_t;
f0110b
+       ')
f0110b
+
f0110b
+        files_search_var_lib($1)
f0110b
+        search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
f0110b
+        read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
f0110b
+')
f0110b
+
f0110b
+#######################################
f0110b
+## <summary>
f0110b
+##      Read and write shorewall /var/lib files.
f0110b
+## </summary>
f0110b
+## <param name="domain">
f0110b
+##      <summary>
f0110b
+##      Domain allowed access.
f0110b
+##      </summary>
f0110b
+## </param>
f0110b
+#
f0110b
+interface(`shorewall_rw_var_lib',`
f0110b
+        gen_require(`
f0110b
+                type shorewall_t;
f0110b
+       ')
f0110b
+
f0110b
+        files_search_var_lib($1)
f0110b
+        search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
f0110b
+        rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
f0110b
+')
f0110b
+
f0110b
+#######################################
f0110b
+## <summary>
f0110b
+##      All of the rules required to administrate 
f0110b
+##      an shorewall environment
f0110b
+## </summary>
f0110b
+## <param name="domain">
f0110b
+##      <summary>
f0110b
+##      Domain allowed access.
f0110b
+##      </summary>
f0110b
+## </param>
f0110b
+## <param name="role">
f0110b
+##      <summary>
f0110b
+##      The role to be allowed to manage the syslog domain.
f0110b
+##      </summary>
f0110b
+## </param>
f0110b
+## <rolecap/>
f0110b
+#
f0110b
+interface(`shorewall_admin',`
f0110b
+        gen_require(`
f0110b
+                type shorewall_t, shorewall_var_run_t, shorewall_lock_t;
f0110b
+                type shorewall_initrc_exec_t, shorewall_var_lib_t;
f0110b
+                type shorewall_tmp_t;
f0110b
+        ')
f0110b
+
f0110b
+        allow $1 shorewall_t:process { ptrace signal_perms };
f0110b
+        ps_process_pattern($1, shorewall_t)
f0110b
+
f0110b
+        init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
f0110b
+        domain_system_change_exemption($1)
f0110b
+        role_transition $2 shorewall_initrc_exec_t system_r;
f0110b
+        allow $2 system_r;
f0110b
+
f0110b
+        files_search_etc($1)
f0110b
+        admin_pattern($1, shorewall_etc_t)
f0110b
+
f0110b
+	files_search_locks($1)
f0110b
+	admin_pattern($1, shorewall_lock_t)
f0110b
+
f0110b
+        files_search_pids($1)
f0110b
+        admin_pattern($1, shorewall_var_run_t)
f0110b
+
f0110b
+        files_search_var_lib($1)
f0110b
+        admin_pattern($1, shorewall_var_lib_t)
f0110b
+
f0110b
+        files_search_tmp($1)
f0110b
+        admin_pattern($1, shorewall_tmp_t)
f0110b
+')
f0110b
+
f0110b
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.6.12/policy/modules/admin/shorewall.te
f0110b
--- nsaserefpolicy/policy/modules/admin/shorewall.te	1970-01-01 01:00:00.000000000 +0100
f0110b
+++ serefpolicy-3.6.12/policy/modules/admin/shorewall.te	2009-06-25 10:41:25.000000000 +0200
f0110b
@@ -0,0 +1,103 @@
f0110b
+policy_module(shorewall,1.0.0)
f0110b
+
f0110b
+########################################
f0110b
+#
f0110b
+# Declarations
f0110b
+#
f0110b
+
f0110b
+type shorewall_t;
f0110b
+type shorewall_exec_t;
f0110b
+init_system_domain(shorewall_t, shorewall_exec_t)
f0110b
+
f0110b
+type shorewall_initrc_exec_t;
f0110b
+init_script_file(shorewall_initrc_exec_t)
f0110b
+
f0110b
+# etc files
f0110b
+type shorewall_etc_t;
f0110b
+files_config_file(shorewall_etc_t)
f0110b
+
f0110b
+# lock files
f0110b
+type shorewall_lock_t;
f0110b
+files_lock_file(shorewall_lock_t)
f0110b
+
f0110b
+# tmp files
f0110b
+type shorewall_tmp_t;
f0110b
+files_tmp_file(shorewall_tmp_t)
f0110b
+
f0110b
+# var/lib files
f0110b
+type shorewall_var_lib_t;
f0110b
+files_type(shorewall_var_lib_t)
f0110b
+
f0110b
+########################################
f0110b
+#
f0110b
+# shorewall local policy
f0110b
+#
f0110b
+
f0110b
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace};
f0110b
+dontaudit shorewall_t self:capability sys_tty_config;
f0110b
+allow shorewall_t self:process signal;
f0110b
+
f0110b
+allow shorewall_t self:fifo_file rw_fifo_file_perms;
f0110b
+
f0110b
+# etc file
f0110b
+read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
f0110b
+list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
f0110b
+
f0110b
+# lock files
f0110b
+manage_files_pattern(shorewall_t,shorewall_lock_t,shorewall_lock_t)
f0110b
+files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
f0110b
+
f0110b
+# var/lib files for shorewall
f0110b
+exec_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
f0110b
+manage_dirs_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
f0110b
+manage_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
f0110b
+files_var_lib_filetrans(shorewall_t,shorewall_var_lib_t, { dir file })
f0110b
+
f0110b
+# tmp files for shorewall
f0110b
+manage_dirs_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
f0110b
+manage_files_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
f0110b
+files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir })
f0110b
+
f0110b
+kernel_read_kernel_sysctls(shorewall_t)
f0110b
+kernel_read_system_state(shorewall_t)
f0110b
+kernel_read_network_state(shorewall_t)
f0110b
+kernel_rw_net_sysctls(shorewall_t)
f0110b
+
f0110b
+corecmd_exec_bin(shorewall_t)
f0110b
+corecmd_exec_shell(shorewall_t)
f0110b
+
f0110b
+dev_read_urand(shorewall_t)
f0110b
+
f0110b
+fs_getattr_all_fs(shorewall_t)
f0110b
+
f0110b
+domain_read_all_domains_state(shorewall_t)
f0110b
+
f0110b
+files_getattr_kernel_modules(shorewall_t)
f0110b
+files_read_etc_files(shorewall_t)
f0110b
+files_read_usr_files(shorewall_t)
f0110b
+files_search_kernel_modules(shorewall_t)
f0110b
+
f0110b
+init_rw_utmp(shorewall_t)
f0110b
+
f0110b
+libs_use_ld_so(shorewall_t)
f0110b
+libs_use_shared_libs(shorewall_t)
f0110b
+
f0110b
+logging_send_syslog_msg(shorewall_t)
f0110b
+
f0110b
+miscfiles_read_localization(shorewall_t)
f0110b
+
f0110b
+userdom_dontaudit_list_admin_dir(shorewall_t)
f0110b
+
f0110b
+sysnet_domtrans_ifconfig(shorewall_t)
f0110b
+iptables_domtrans(shorewall_t)
f0110b
+
f0110b
+optional_policy(`
f0110b
+        modutils_domtrans_insmod(shorewall_t)
f0110b
+')
f0110b
+
f0110b
+optional_policy(`
f0110b
+	ulogd_search_log(shorewall_t)
f0110b
+')
f0110b
+
f0110b
+permissive shorewall_t;
f0110b
+
23ec6c
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.12/policy/modules/admin/sudo.if
23ec6c
--- nsaserefpolicy/policy/modules/admin/sudo.if	2009-06-25 10:19:43.000000000 +0200
23ec6c
+++ serefpolicy-3.6.12/policy/modules/admin/sudo.if	2009-08-05 23:24:01.000000000 +0200
23ec6c
@@ -152,6 +152,10 @@
23ec6c
 	optional_policy(`
23ec6c
 		dbus_system_bus_client($1_sudo_t)
23ec6c
 	')
23ec6c
+
23ec6c
+	optional_policy(`
23ec6c
+		fprintd_dbus_chat($1_sudo_t)
23ec6c
+	')
23ec6c
 ')
23ec6c
 
23ec6c
 ########################################
a0754b
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tzdata.te serefpolicy-3.6.12/policy/modules/admin/tzdata.te
a0754b
--- nsaserefpolicy/policy/modules/admin/tzdata.te	2009-04-07 21:54:49.000000000 +0200
a0754b
+++ serefpolicy-3.6.12/policy/modules/admin/tzdata.te	2009-09-07 13:31:31.000000000 +0200
a0754b
@@ -16,6 +16,8 @@
a0754b
 # tzdata local policy
a0754b
 #
a0754b
 
a0754b
+fs_getattr_xattr_fs(tzdata_t)  
a0754b
+
a0754b
 files_read_etc_files(tzdata_t)
a0754b
 files_search_spool(tzdata_t)
a0754b
 
d92107
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.12/policy/modules/admin/usermanage.if
d92107
--- nsaserefpolicy/policy/modules/admin/usermanage.if	2009-04-07 21:54:49.000000000 +0200
d92107
+++ serefpolicy-3.6.12/policy/modules/admin/usermanage.if	2009-09-02 09:29:39.000000000 +0200
d92107
@@ -274,6 +274,9 @@
d92107
 	usermanage_domtrans_useradd($1)
d92107
 	role $2 types useradd_t;
d92107
 
d92107
+	# Add/remove user home directories
d92107
+	userdom_manage_home_role($2, useradd_t)
d92107
+
d92107
 	optional_policy(`
d92107
 		nscd_run(useradd_t, $2)
d92107
 	')
82c950
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.12/policy/modules/admin/usermanage.te
26b349
--- nsaserefpolicy/policy/modules/admin/usermanage.te	2009-06-25 10:19:43.000000000 +0200
d92107
+++ serefpolicy-3.6.12/policy/modules/admin/usermanage.te	2009-09-02 09:28:02.000000000 +0200
82c950
@@ -209,6 +209,7 @@
82c950
 files_manage_etc_files(groupadd_t)
82c950
 files_relabel_etc_files(groupadd_t)
82c950
 files_read_etc_runtime_files(groupadd_t)
82c950
+files_read_usr_symlinks(groupadd_t)
82c950
 
82c950
 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
82c950
 corecmd_exec_bin(groupadd_t)
d92107
@@ -489,6 +490,8 @@
d92107
 
d92107
 userdom_use_unpriv_users_fds(useradd_t)
d92107
 # Add/remove user home directories
d92107
+userdom_manage_home_role(system_r, useradd_t)
d92107
+
d92107
 userdom_manage_user_home_content_dirs(useradd_t)
d92107
 userdom_manage_user_home_content_files(useradd_t)
d92107
 userdom_home_filetrans_user_home_dir(useradd_t)
9eefb8
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.12/policy/modules/apps/awstats.te
9eefb8
--- nsaserefpolicy/policy/modules/apps/awstats.te	2009-06-25 10:19:43.000000000 +0200
9eefb8
+++ serefpolicy-3.6.12/policy/modules/apps/awstats.te	2009-08-19 18:08:12.000000000 +0200
9eefb8
@@ -28,6 +28,8 @@
9eefb8
 awstats_rw_pipes(awstats_t)
9eefb8
 awstats_cgi_exec(awstats_t)
9eefb8
 
9eefb8
+can_exec(awstats_t, awstats_exec_t)
9eefb8
+
9eefb8
 manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
9eefb8
 manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
9eefb8
 files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
23ec6c
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.12/policy/modules/apps/calamaris.te
23ec6c
--- nsaserefpolicy/policy/modules/apps/calamaris.te	2009-04-07 21:54:49.000000000 +0200
23ec6c
+++ serefpolicy-3.6.12/policy/modules/apps/calamaris.te	2009-08-05 23:27:19.000000000 +0200
23ec6c
@@ -82,5 +82,9 @@
23ec6c
 ')
23ec6c
 
23ec6c
 optional_policy(`
23ec6c
+	nscd_socket_use(calamaris_t)
23ec6c
+')  
23ec6c
+
23ec6c
+optional_policy(`
23ec6c
 	nis_use_ypbind(calamaris_t)
23ec6c
 ')
39cdda
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.12/policy/modules/apps/gitosis.fc
26b349
--- nsaserefpolicy/policy/modules/apps/gitosis.fc	1970-01-01 01:00:00.000000000 +0100
26b349
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.fc	2009-06-25 10:21:01.000000000 +0200
39cdda
@@ -0,0 +1,4 @@
39cdda
+
39cdda
+/usr/bin/gitosis-serve			--        gen_context(system_u:object_r:gitosis_exec_t,s0)
39cdda
+
39cdda
+/var/lib/gitosis(/.*)?                            gen_context(system_u:object_r:gitosis_var_lib_t,s0)
39cdda
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.12/policy/modules/apps/gitosis.if
26b349
--- nsaserefpolicy/policy/modules/apps/gitosis.if	1970-01-01 01:00:00.000000000 +0100
8b464d
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.if	2009-06-29 22:52:15.000000000 +0200
8b464d
@@ -0,0 +1,96 @@
39cdda
+## <summary>gitosis interface</summary>
39cdda
+
39cdda
+#######################################
39cdda
+## <summary>
39cdda
+##      Execute a domain transition to run gitosis.
39cdda
+## </summary>
39cdda
+## <param name="domain">
39cdda
+## <summary>
39cdda
+##      Domain allowed to transition.
39cdda
+## </summary>
39cdda
+## </param>
39cdda
+#
39cdda
+interface(`gitosis_domtrans',`
39cdda
+        gen_require(`
39cdda
+                type gitosis_t, gitosis_exec_t;
39cdda
+        ')
39cdda
+
39cdda
+        domtrans_pattern($1, gitosis_exec_t, gitosis_t)
39cdda
+')
39cdda
+
39cdda
+#######################################
39cdda
+## <summary>
39cdda
+##      Execute gitosis-serve in the gitosis domain, and
39cdda
+##      allow the specified role the gitosis domain.
39cdda
+## </summary>
39cdda
+## <param name="domain">
39cdda
+##      <summary>
39cdda
+##      Domain allowed access
39cdda
+##      </summary>
39cdda
+## </param>
39cdda
+## <param name="role">
39cdda
+##      <summary>
26b349
+##      The role to be allowed the gitosis domain.
39cdda
+##      </summary>
39cdda
+## </param>
39cdda
+## <param name="terminal">
39cdda
+##      <summary>
39cdda
+##      The type of the role's terminal.
39cdda
+##      </summary>
39cdda
+## </param>
39cdda
+#
39cdda
+interface(`gitosis_run',`
39cdda
+        gen_require(`
39cdda
+                type gitosis_t;
39cdda
+        ')
39cdda
+
39cdda
+        gitosis_domtrans($1)
39cdda
+        role $2 types gitosis_t;
39cdda
+        allow gitosis_t $3:chr_file rw_term_perms;
39cdda
+')
39cdda
+
39cdda
+#######################################
39cdda
+## <summary>
39cdda
+##      Allow the specified domain to read
39cdda
+##      gitosis lib files.
39cdda
+## </summary>
39cdda
+## <param name="domain">
39cdda
+##      <summary>
39cdda
+##      Domain allowed access.
39cdda
+##      </summary>
39cdda
+## </param>
39cdda
+#
39cdda
+interface(`gitosis_read_var_lib',`
39cdda
+        gen_require(`
39cdda
+                type gitosis_var_lib_t;
39cdda
+
39cdda
+        ')
8b464d
+	
8b464d
+	files_search_var_lib($1)
39cdda
+        read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
39cdda
+	read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
39cdda
+        list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
39cdda
+')
39cdda
+
39cdda
+######################################
39cdda
+## <summary>
39cdda
+##      Allow the specified domain to manage
39cdda
+##      gitosis lib files.
39cdda
+## </summary>
39cdda
+## <param name="domain">
39cdda
+##      <summary>
39cdda
+##      Domain allowed access.
39cdda
+##      </summary>
39cdda
+## </param>
39cdda
+#
39cdda
+interface(`gitosis_manage_var_lib',`
39cdda
+        gen_require(`
39cdda
+                type gitosis_var_lib_t;
39cdda
+
39cdda
+        ')
39cdda
+
8b464d
+	files_search_var_lib($1)
39cdda
+        manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
39cdda
+        manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
39cdda
+	manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
39cdda
+')
39cdda
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.12/policy/modules/apps/gitosis.te
26b349
--- nsaserefpolicy/policy/modules/apps/gitosis.te	1970-01-01 01:00:00.000000000 +0100
26b349
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.te	2009-06-25 10:21:01.000000000 +0200
39cdda
@@ -0,0 +1,43 @@
39cdda
+policy_module(gitosis,1.0.0)
39cdda
+
39cdda
+########################################
39cdda
+#
39cdda
+# Declarations
39cdda
+#
39cdda
+
39cdda
+type gitosis_t;
39cdda
+type gitosis_exec_t;
39cdda
+application_domain(gitosis_t, gitosis_exec_t)
39cdda
+role system_r types gitosis_t;
39cdda
+
39cdda
+type gitosis_var_lib_t;
39cdda
+files_type(gitosis_var_lib_t)
39cdda
+
39cdda
+########################################
39cdda
+#
39cdda
+# gitosis local policy
39cdda
+#
39cdda
+
39cdda
+allow gitosis_t self:fifo_file rw_fifo_file_perms;
39cdda
+
39cdda
+exec_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
39cdda
+manage_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
39cdda
+manage_lnk_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
39cdda
+manage_dirs_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
39cdda
+
39cdda
+corecmd_exec_bin(gitosis_t) 
39cdda
+corecmd_exec_shell(gitosis_t)
39cdda
+
39cdda
+kernel_read_system_state(gitosis_t)
39cdda
+
39cdda
+files_read_usr_files(gitosis_t)
39cdda
+files_search_var_lib(gitosis_t)
39cdda
+
39cdda
+libs_use_ld_so(gitosis_t)
39cdda
+libs_use_shared_libs(gitosis_t)
39cdda
+
39cdda
+miscfiles_read_localization(gitosis_t)
39cdda
+
39cdda
+optional_policy(`
39cdda
+	ssh_rw_pipes(gitosis_t)
39cdda
+')
c7e17d
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.12/policy/modules/apps/gnome.te
c7e17d
--- nsaserefpolicy/policy/modules/apps/gnome.te	2009-06-25 10:19:43.000000000 +0200
b8bcb3
+++ serefpolicy-3.6.12/policy/modules/apps/gnome.te	2009-09-18 14:56:40.000000000 +0200
b8bcb3
@@ -114,6 +114,16 @@
c7e17d
 
c7e17d
 userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
c7e17d
 
c7e17d
+tunable_policy(`use_nfs_home_dirs',`
c7e17d
+        fs_manage_nfs_dirs(gconfdefaultsm_t)
c7e17d
+        fs_manage_nfs_files(gconfdefaultsm_t)
c7e17d
+')
c7e17d
+
c7e17d
+tunable_policy(`use_samba_home_dirs',`
c7e17d
+        fs_manage_cifs_dirs(gconfdefaultsm_t)
c7e17d
+        fs_manage_cifs_files(gconfdefaultsm_t)
c7e17d
+')
c7e17d
+
c7e17d
 optional_policy(`
c7e17d
         consolekit_dbus_chat(gconfdefaultsm_t)
c7e17d
 ')
9eefb8
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.12/policy/modules/apps/gpg.if
9eefb8
--- nsaserefpolicy/policy/modules/apps/gpg.if	2009-06-25 10:19:43.000000000 +0200
9eefb8
+++ serefpolicy-3.6.12/policy/modules/apps/gpg.if	2009-08-18 15:05:46.000000000 +0200
9eefb8
@@ -30,7 +30,7 @@
9eefb8
 
9eefb8
 	# allow ps to show gpg
9eefb8
 	ps_process_pattern($2, gpg_t)
9eefb8
-	allow $2 gpg_t:process { signal sigkill };
9eefb8
+	allow $2 gpg_t:process { signull sigstop signal sigkill };
9eefb8
 
9eefb8
 	# communicate with the user 
9eefb8
 	allow gpg_helper_t $2:fd use;
9eefb8
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.12/policy/modules/apps/gpg.te
9eefb8
--- nsaserefpolicy/policy/modules/apps/gpg.te	2009-06-25 10:19:43.000000000 +0200
9eefb8
+++ serefpolicy-3.6.12/policy/modules/apps/gpg.te	2009-08-18 15:06:47.000000000 +0200
9eefb8
@@ -90,6 +90,7 @@
9eefb8
 corenet_tcp_connect_all_ports(gpg_t)
9eefb8
 corenet_sendrecv_all_client_packets(gpg_t)
9eefb8
 
9eefb8
+dev_read_generic_usb_dev(gpg_t)
9eefb8
 dev_read_rand(gpg_t)
9eefb8
 dev_read_urand(gpg_t)
9eefb8
 
b8bcb3
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.12/policy/modules/apps/java.te
b8bcb3
--- nsaserefpolicy/policy/modules/apps/java.te	2009-06-25 10:19:43.000000000 +0200
b8bcb3
+++ serefpolicy-3.6.12/policy/modules/apps/java.te	2009-09-22 17:00:57.000000000 +0200
b8bcb3
@@ -148,6 +148,8 @@
b8bcb3
 	# execheap is needed for itanium/BEA jrocket
b8bcb3
 	allow unconfined_java_t self:process { execstack execmem execheap };
b8bcb3
 
b8bcb3
+	files_execmod_all_files(unconfined_java_t)
b8bcb3
+
b8bcb3
 	init_dbus_chat_script(unconfined_java_t)
b8bcb3
 
b8bcb3
 	unconfined_domain_noaudit(unconfined_java_t)
40f5c9
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.12/policy/modules/apps/mozilla.if
40f5c9
--- nsaserefpolicy/policy/modules/apps/mozilla.if	2009-06-25 10:19:43.000000000 +0200
7b4c69
+++ serefpolicy-3.6.12/policy/modules/apps/mozilla.if	2009-07-08 21:12:05.000000000 +0200
7b4c69
@@ -45,6 +45,18 @@
7b4c69
 	relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
7b4c69
 	relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
7b4c69
 	relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
7b4c69
+
7b4c69
+	mozilla_dbus_chat($2)
7b4c69
+
7b4c69
+	userdom_manage_tmp_role($1, mozilla_t)
7b4c69
+
7b4c69
+	optional_policy(`
7b4c69
+		nsplugin_role($1, mozilla_t)
7b4c69
+	')
7b4c69
+
7b4c69
+	optional_policy(`
7b4c69
+		pulseaudio_role($1, mozilla_t)
7b4c69
+	')
7b4c69
 ')
7b4c69
 
7b4c69
 ########################################
7b4c69
@@ -64,6 +76,7 @@
40f5c9
 
40f5c9
 	allow $1 mozilla_home_t:dir list_dir_perms;
40f5c9
 	allow $1 mozilla_home_t:file read_file_perms;
40f5c9
+	allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
40f5c9
 	userdom_search_user_home_dirs($1)
40f5c9
 ')
40f5c9
 
7b4c69
@@ -82,7 +95,8 @@
7b4c69
 		type mozilla_home_t;
7b4c69
 	')
7b4c69
 
7b4c69
-	write_files_pattern($1, mozilla_home_t, mozilla_home_t)
7b4c69
+	allow $1 mozilla_home_t:dir list_dir_perms;
7b4c69
+	allow $1 mozilla_home_t:file write_file_perms;
7b4c69
 	userdom_search_user_home_dirs($1)
7b4c69
 ')
7b4c69
 
494f21
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.12/policy/modules/apps/mozilla.te
26b349
--- nsaserefpolicy/policy/modules/apps/mozilla.te	2009-06-25 10:19:43.000000000 +0200
7b4c69
+++ serefpolicy-3.6.12/policy/modules/apps/mozilla.te	2009-07-08 21:12:10.000000000 +0200
7b4c69
@@ -59,6 +59,7 @@
7b4c69
 manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
7b4c69
 manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
7b4c69
 userdom_search_user_home_dirs(mozilla_t)
7b4c69
+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
7b4c69
 
7b4c69
 # Mozpluggerrc
7b4c69
 allow mozilla_t mozilla_conf_t:file read_file_perms;
7b4c69
@@ -97,6 +98,7 @@
7b4c69
 corenet_tcp_connect_ftp_port(mozilla_t)
7b4c69
 corenet_tcp_connect_ipp_port(mozilla_t)
7b4c69
 corenet_tcp_connect_generic_port(mozilla_t)
7b4c69
+corenet_tcp_connect_soundd_port(mozilla_t)
7b4c69
 corenet_sendrecv_http_client_packets(mozilla_t)
7b4c69
 corenet_sendrecv_http_cache_client_packets(mozilla_t)
7b4c69
 corenet_sendrecv_ftp_client_packets(mozilla_t)
7b4c69
@@ -114,6 +116,8 @@
7b4c69
 dev_dontaudit_rw_dri(mozilla_t)
7b4c69
 dev_getattr_sysfs_dirs(mozilla_t)
7b4c69
 
7b4c69
+domain_dontaudit_read_all_domains_state(mozilla_t)
7b4c69
+
7b4c69
 files_read_etc_runtime_files(mozilla_t)
7b4c69
 files_read_usr_files(mozilla_t)
7b4c69
 files_read_etc_files(mozilla_t)
7b4c69
@@ -139,12 +143,7 @@
7b4c69
 # Browse the web, connect to printer
7b4c69
 sysnet_dns_name_resolve(mozilla_t)
7b4c69
 
7b4c69
-userdom_manage_user_home_content_dirs(mozilla_t)
7b4c69
-userdom_manage_user_home_content_files(mozilla_t)
7b4c69
-userdom_manage_user_home_content_symlinks(mozilla_t)
7b4c69
-userdom_manage_user_tmp_dirs(mozilla_t)
7b4c69
-userdom_manage_user_tmp_files(mozilla_t)
7b4c69
-userdom_manage_user_tmp_sockets(mozilla_t)
494f21
+userdom_use_user_ptys(mozilla_t)
494f21
 
494f21
 xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
494f21
 xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
7b4c69
@@ -241,6 +240,9 @@
7b4c69
 optional_policy(`
7b4c69
 	dbus_system_bus_client(mozilla_t)
7b4c69
 	dbus_session_bus_client(mozilla_t)
7b4c69
+	optional_policy(`
7b4c69
+		networkmanager_dbus_chat(mozilla_t)
7b4c69
+	')
7b4c69
 ')
7b4c69
 
7b4c69
 optional_policy(`
d9ce44
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.12/policy/modules/apps/nsplugin.if
d9ce44
--- nsaserefpolicy/policy/modules/apps/nsplugin.if	2009-06-25 10:19:43.000000000 +0200
d9ce44
+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.if	2009-07-07 08:51:57.000000000 +0200
d9ce44
@@ -89,6 +89,8 @@
d9ce44
 	role $1 types nsplugin_config_t;
d9ce44
 
d9ce44
 	allow nsplugin_t $2:process signull;
d9ce44
+	allow nsplugin_t $2:sem rw_sem_perms;
d9ce44
+ 	allow nsplugin_t $2:shm rw_shm_perms;
d9ce44
 
d9ce44
 	list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
d9ce44
 	read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
7414cf
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.fc serefpolicy-3.6.12/policy/modules/apps/ptchown.fc
7414cf
--- nsaserefpolicy/policy/modules/apps/ptchown.fc	1970-01-01 01:00:00.000000000 +0100
7414cf
+++ serefpolicy-3.6.12/policy/modules/apps/ptchown.fc	2009-08-14 08:31:59.000000000 +0200
7414cf
@@ -0,0 +1,2 @@
7414cf
+
7414cf
+/usr/libexec/pt_chown	--	gen_context(system_u:object_r:ptchown_exec_t,s0)
7414cf
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.6.12/policy/modules/apps/ptchown.if
7414cf
--- nsaserefpolicy/policy/modules/apps/ptchown.if	1970-01-01 01:00:00.000000000 +0100
7414cf
+++ serefpolicy-3.6.12/policy/modules/apps/ptchown.if	2009-08-14 08:09:22.000000000 +0200
7414cf
@@ -0,0 +1,22 @@
7414cf
+
7414cf
+## <summary>helper function for grantpt(3), changes ownship and permissions of pseudotty</summary>
7414cf
+
7414cf
+########################################
7414cf
+## <summary>
7414cf
+##	Execute a domain transition to run ptchown.
7414cf
+## </summary>
7414cf
+## <param name="domain">
7414cf
+## <summary>
7414cf
+##	Domain allowed to transition.
7414cf
+## </summary>
7414cf
+## </param>
7414cf
+#
7414cf
+interface(`ptchown_domtrans',`
7414cf
+	gen_require(`
7414cf
+		type ptchown_t;
7414cf
+                type ptchown_exec_t;
7414cf
+	')
7414cf
+
7414cf
+	domtrans_pattern($1,ptchown_exec_t,ptchown_t)
7414cf
+')
7414cf
+
7414cf
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.6.12/policy/modules/apps/ptchown.te
7414cf
--- nsaserefpolicy/policy/modules/apps/ptchown.te	1970-01-01 01:00:00.000000000 +0100
9eefb8
+++ serefpolicy-3.6.12/policy/modules/apps/ptchown.te	2009-08-20 09:35:25.000000000 +0200
9eefb8
@@ -0,0 +1,40 @@
7414cf
+policy_module(ptchown,1.0.0)
7414cf
+
7414cf
+########################################
7414cf
+#
7414cf
+# Declarations
7414cf
+#
7414cf
+
7414cf
+type ptchown_t;
7414cf
+type ptchown_exec_t;
7414cf
+application_domain(ptchown_t, ptchown_exec_t)
7414cf
+role system_r types ptchown_t;
7414cf
+
7414cf
+permissive ptchown_t;
7414cf
+
7414cf
+########################################
7414cf
+#
7414cf
+# ptchown local policy
7414cf
+#
7414cf
+
9eefb8
+allow ptchown_t self:capability { chown fowner fsetid setuid };
7414cf
+allow ptchown_t self:process { getcap setcap };
7414cf
+
7414cf
+# Init script handling
7414cf
+domain_use_interactive_fds(ptchown_t)
7414cf
+
7414cf
+# internal communication is often done using fifo and unix sockets.
7414cf
+allow ptchown_t self:fifo_file rw_file_perms;
7414cf
+allow ptchown_t self:unix_stream_socket create_stream_socket_perms;
7414cf
+
7414cf
+files_read_etc_files(ptchown_t)
7414cf
+
7414cf
+fs_rw_anon_inodefs_files(ptchown_t)
7414cf
+
7414cf
+term_setattr_generic_ptys(ptchown_t)
7414cf
+term_setattr_all_user_ptys(ptchown_t)
9eefb8
+term_use_generic_ptys(ptchown_t)
9eefb8
+term_use_ptmx(ptchown_t)
7414cf
+
7414cf
+miscfiles_read_localization(ptchown_t)
7414cf
+
e6583a
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.12/policy/modules/apps/qemu.fc
26b349
--- nsaserefpolicy/policy/modules/apps/qemu.fc	2009-06-25 10:19:43.000000000 +0200
26b349
+++ serefpolicy-3.6.12/policy/modules/apps/qemu.fc	2009-06-25 10:21:01.000000000 +0200
e6583a
@@ -1,2 +1,3 @@
e6583a
 /usr/bin/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
e6583a
+/usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
e6583a
 
686d80
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.12/policy/modules/apps/qemu.te
26b349
--- nsaserefpolicy/policy/modules/apps/qemu.te	2009-06-25 10:19:43.000000000 +0200
26b349
+++ serefpolicy-3.6.12/policy/modules/apps/qemu.te	2009-06-25 10:21:01.000000000 +0200
c556bd
@@ -88,11 +88,16 @@
c556bd
 ')
c556bd
 
c556bd
 optional_policy(`
c556bd
+	dbus_system_bus_client(qemu_t)
c556bd
+')
c556bd
+
c556bd
+optional_policy(`
c556bd
 	samba_domtrans_smb(qemu_t)
c556bd
 ')
686d80
 
686d80
 optional_policy(`
686d80
 	virt_manage_images(qemu_t)
686d80
+	virt_append_log(qemu_t)
686d80
 ')
686d80
 
686d80
 optional_policy(`
494f21
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.12/policy/modules/apps/sandbox.if
26b349
--- nsaserefpolicy/policy/modules/apps/sandbox.if	2009-06-25 10:19:43.000000000 +0200
26b349
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.if	2009-06-25 10:21:01.000000000 +0200
494f21
@@ -3,73 +3,143 @@
494f21
 
494f21
 ########################################
494f21
 ## <summary>
494f21
-##	Execute a domain transition to run sandbox.
494f21
+##	Execute sandbox in the sandbox domain, and
494f21
+##	allow the specified role the sandbox domain.
494f21
 ## </summary>
494f21
 ## <param name="domain">
494f21
 ## <summary>
494f21
-##	Domain allowed to transition.
494f21
+##	Domain allowed access
494f21
+##	</summary>
494f21
+## </param>
494f21
+## <param name="role">
494f21
+##	<summary>
494f21
+##	The role to be allowed the sandbox domain.
494f21
 ## </summary>
494f21
 ## </param>
494f21
 #
494f21
-interface(`sandbox_domtrans',`
494f21
+interface(`sandbox_transition',`
494f21
 	gen_require(`
494f21
-		type sandbox_t;
494f21
-                type sandbox_exec_t;
494f21
+		type sandbox_xserver_t;
494f21
+		attribute sandbox_domain;
494f21
 	')
494f21
 
494f21
-	domtrans_pattern($1,sandbox_exec_t,sandbox_t)
494f21
+	allow $1 sandbox_domain:process transition;
494f21
+	dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
494f21
+	role $2 types sandbox_domain;
494f21
+	role $2 types sandbox_xserver_t;
494f21
 ')
494f21
 
494f21
-
494f21
 ########################################
494f21
 ## <summary>
494f21
-##	Execute sandbox in the sandbox domain, and
494f21
-##	allow the specified role the sandbox domain.
494f21
+##	Creates types and rules for a basic
494f21
+##	qemu process domain.
494f21
 ## </summary>
494f21
-## <param name="domain">
494f21
+## <param name="prefix">
494f21
 ##	<summary>
494f21
-##	Domain allowed access
494f21
-##	</summary>
494f21
-## </param>
494f21
-## <param name="role">
494f21
-##	<summary>
494f21
-##	The role to be allowed the sandbox domain.
494f21
+##	Prefix for the domain.
494f21
 ##	</summary>
494f21
 ## </param>
494f21
 #
494f21
-interface(`sandbox_run',`
494f21
+template(`sandbox_domain_template',`
494f21
+
494f21
 	gen_require(`
494f21
-		type sandbox_t;
494f21
+		attribute sandbox_domain;
494f21
 	')
494f21
 
494f21
-	sandbox_domtrans($1)
494f21
-	role $2 types sandbox_t;
494f21
+	type $1_t, sandbox_domain;
494f21
+	domain_type($1_t)
494f21
+
494f21
+	type $1_file_t;
494f21
+	files_type($1_file_t)
494f21
+
494f21
+	can_exec($1_t, $1_file_t)
494f21
+	manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
494f21
+	manage_files_pattern($1_t, $1_file_t, $1_file_t)
494f21
+	manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
494f21
+	manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
494f21
+	manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
494f21
 ')
494f21
 
494f21
 ########################################
494f21
 ## <summary>
494f21
-##	Role access for sandbox
494f21
+##	Creates types and rules for a basic
494f21
+##	qemu process domain.
494f21
 ## </summary>
494f21
-## <param name="role">
494f21
+## <param name="prefix">
494f21
 ##	<summary>
494f21
-##	Role allowed access
494f21
+##	Prefix for the domain.
494f21
 ##	</summary>
494f21
 ## </param>
494f21
+#
494f21
+template(`sandbox_x_domain_template',`
494f21
+	gen_require(`
494f21
+		type xserver_exec_t;
494f21
+		type sandbox_xserver_t;
494f21
+		attribute sandbox_domain, sandbox_x_domain;
494f21
+	')
494f21
+
494f21
+	sandbox_domain_template($1)
494f21
+
494f21
+	
494f21
+	typeattribute $1_t sandbox_x_domain;
494f21
+
494f21
+	# window manager
494f21
+	miscfiles_setattr_fonts($1_t)
494f21
+	allow $1_t self:capability setuid;
494f21
+
494f21
+	type $1_client_t, sandbox_x_domain, sandbox_domain;
494f21
+	domain_type($1_client_t)
494f21
+
494f21
+	type $1_client_tmpfs_t;
494f21
+	files_tmpfs_file($1_client_tmpfs_t)
494f21
+
494f21
+	allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr };
494f21
+	term_create_pty($1_client_t,sandbox_devpts_t)
494f21
+
494f21
+	manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
494f21
+	fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
494f21
+	allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
494f21
+
494f21
+	domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
494f21
+	allow $1_t sandbox_xserver_t:process sigkill;
494f21
+
494f21
+	domtrans_pattern($1_t, $1_file_t, $1_client_t)
494f21
+	domain_entry_file($1_client_t,  $1_file_t)
494f21
+
494f21
+	manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
494f21
+	manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
494f21
+	manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
494f21
+	allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms;
494f21
+	ps_process_pattern(sandbox_xserver_t, $1_client_t)
494f21
+	ps_process_pattern(sandbox_xserver_t, $1_t)
494f21
+	allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
494f21
+	allow sandbox_xserver_t $1_t:shm rw_shm_perms;
494f21
+
494f21
+	can_exec($1_client_t, $1_file_t)
494f21
+	manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t)
494f21
+	manage_files_pattern($1_client_t, $1_file_t, $1_file_t)
494f21
+	manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
494f21
+	manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
494f21
+	manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
494f21
+
494f21
+#	permissive $1_client_t;
494f21
+')
494f21
+
494f21
+########################################
494f21
+## <summary>
494f21
+##	allow domain to read, 
494f21
+##	write sandbox_xserver tmp files
494f21
+## </summary>
494f21
 ## <param name="domain">
494f21
 ##	<summary>
494f21
-##	User domain for the role
494f21
+##	Domain to not audit.
494f21
 ##	</summary>
494f21
 ## </param>
494f21
 #
494f21
-interface(`sandbox_role',`
494f21
+interface(`sandbox_rw_xserver_tmpfs_files',`
494f21
 	gen_require(`
494f21
-              type sandbox_t;
494f21
+		type sandbox_xserver_tmpfs_t;
494f21
 	')
494f21
 
494f21
-	role $2 types sandbox_t;
494f21
-
494f21
-	sandbox_domtrans($1)
494f21
-
494f21
-	ps_process_pattern($2, sandbox_t)
494f21
-	allow $2 sandbox_t:process signal;
494f21
+	allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
494f21
 ')
070ff2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te
26b349
--- nsaserefpolicy/policy/modules/apps/sandbox.te	2009-06-25 10:19:43.000000000 +0200
26b349
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te	2009-06-25 10:21:01.000000000 +0200
494f21
@@ -1,18 +1,84 @@
494f21
 policy_module(sandbox,1.0.0)
494f21
+dbus_stub()
494f21
+attribute sandbox_domain;
494f21
+attribute sandbox_x_domain;
494f21
 
494f21
 ########################################
494f21
 #
494f21
 # Declarations
494f21
 #
494f21
 
494f21
-type sandbox_t;
494f21
-type sandbox_exec_t;
494f21
-application_domain(sandbox_t, sandbox_exec_t)
494f21
-init_daemon_domain(sandbox_t, sandbox_exec_t)
494f21
-role system_r types sandbox_t;
494f21
+sandbox_domain_template(sandbox)
494f21
+sandbox_x_domain_template(sandbox_x)
494f21
+sandbox_x_domain_template(sandbox_web)
494f21
+sandbox_x_domain_template(sandbox_net)
494f21
 
494f21
-type sandbox_file_t;
494f21
-files_type(sandbox_file_t)
494f21
+type sandbox_xserver_t;
494f21
+domain_type(sandbox_xserver_t)
494f21
+xserver_common_app(sandbox_xserver_t)
494f21
+permissive sandbox_xserver_t;
494f21
+
494f21
+type sandbox_xserver_tmpfs_t;
494f21
+files_tmpfs_file(sandbox_xserver_tmpfs_t)
494f21
+
494f21
+type sandbox_devpts_t;
494f21
+term_pty(sandbox_devpts_t)
494f21
+files_type(sandbox_devpts_t)
494f21
+
494f21
+########################################
494f21
+#
494f21
+# sandbox xserver policy
494f21
+#
494f21
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
494f21
+allow sandbox_xserver_t self:shm create_shm_perms;
494f21
+allow sandbox_xserver_t self:tcp_socket create_socket_perms;
494f21
+
494f21
+manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
494f21
+manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
494f21
+manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
494f21
+manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
494f21
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
494f21
+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
494f21
+
494f21
+corecmd_exec_bin(sandbox_xserver_t)
494f21
+corecmd_exec_shell(sandbox_xserver_t)
494f21
+
494f21
+corenet_all_recvfrom_unlabeled(sandbox_xserver_t)
494f21
+corenet_all_recvfrom_netlabel(sandbox_xserver_t)
494f21
+corenet_tcp_sendrecv_generic_if(sandbox_xserver_t)
494f21
+corenet_udp_sendrecv_generic_if(sandbox_xserver_t)
494f21
+corenet_tcp_sendrecv_generic_node(sandbox_xserver_t)
494f21
+corenet_udp_sendrecv_generic_node(sandbox_xserver_t)
494f21
+corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
494f21
+corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
494f21
+corenet_tcp_bind_generic_node(sandbox_xserver_t)
494f21
+corenet_tcp_bind_xserver_port(sandbox_xserver_t)
494f21
+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
494f21
+corenet_sendrecv_all_client_packets(sandbox_xserver_t)
494f21
+
494f21
+files_read_etc_files(sandbox_xserver_t)
494f21
+files_read_usr_files(sandbox_xserver_t)
494f21
+files_search_home(sandbox_xserver_t)
494f21
+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
494f21
+
494f21
+miscfiles_read_fonts(sandbox_xserver_t)
494f21
+miscfiles_read_localization(sandbox_xserver_t)
494f21
+
494f21
+kernel_read_system_state(sandbox_xserver_t)
494f21
+
494f21
+auth_use_nsswitch(sandbox_xserver_t)
494f21
+
494f21
+userdom_use_user_terminals(sandbox_xserver_t)
494f21
+
494f21
+xserver_entry_type(sandbox_xserver_t)
494f21
+
494f21
+optional_policy(`
494f21
+	dbus_system_bus_client(sandbox_xserver_t)
494f21
+
494f21
+	optional_policy(`
494f21
+		hal_dbus_chat(sandbox_xserver_t)
494f21
+	')
494f21
+')
070ff2
 
494f21
 ########################################
494f21
 #
494f21
@@ -20,21 +86,189 @@
494f21
 #
494f21
 
494f21
 ## internal communication is often done using fifo and unix sockets.
494f21
-allow sandbox_t self:fifo_file rw_file_perms;
494f21
-allow sandbox_t self:unix_stream_socket create_stream_socket_perms;
494f21
+allow sandbox_domain self:fifo_file rw_file_perms;
494f21
+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
494f21
+
494f21
+files_rw_all_inherited_files(sandbox_domain)
494f21
+files_entrypoint_all_files(sandbox_domain)
494f21
+
494f21
+miscfiles_read_localization(sandbox_domain)
494f21
+
494f21
+kernel_dontaudit_read_system_state(sandbox_domain)
494f21
+corecmd_exec_all_executables(sandbox_domain)
494f21
+
494f21
+
494f21
+########################################
494f21
+#
494f21
+# sandbox_x_domain local policy
494f21
+#
494f21
+allow sandbox_x_domain self:process { signal_perms getsched setpgid };
494f21
+allow sandbox_x_domain self:shm create_shm_perms;
494f21
+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
494f21
+allow sandbox_x_domain self:unix_dgram_socket create_socket_perms;
494f21
+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
494f21
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
494f21
+
494f21
+dev_read_urand(sandbox_x_domain)
494f21
+dev_dontaudit_read_rand(sandbox_x_domain)
494f21
+
494f21
+files_read_etc_files(sandbox_x_domain)
494f21
+files_read_usr_files(sandbox_x_domain)
494f21
+files_read_usr_symlinks(sandbox_x_domain)
494f21
+
494f21
+fs_getattr_tmpfs(sandbox_x_domain)
494f21
+fs_getattr_xattr_fs(sandbox_x_domain)
494f21
+
494f21
+auth_dontaudit_read_login_records(sandbox_x_domain)
494f21
+
494f21
+init_read_utmp(sandbox_x_domain)
494f21
+
494f21
+term_getattr_pty_fs(sandbox_x_domain)
494f21
+term_use_ptmx(sandbox_x_domain)
494f21
+
494f21
+logging_send_syslog_msg(sandbox_x_domain)
494f21
+
494f21
+miscfiles_read_fonts(sandbox_x_domain)
494f21
+
494f21
+optional_policy(`
494f21
+	gnome_read_gconf_config(sandbox_x_domain)
494f21
+')
494f21
+
494f21
+optional_policy(`
494f21
+	cups_stream_connect(sandbox_x_domain)
494f21
+	cups_read_rw_config(sandbox_x_domain)
494f21
+')
494f21
+
494f21
+########################################
494f21
+#
494f21
+# sandbox_x_client_t local policy
494f21
+#
494f21
+allow sandbox_x_client_t self:tcp_socket create_socket_perms;
494f21
+allow sandbox_x_client_t self:udp_socket create_socket_perms;
494f21
+allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
494f21
+allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
494f21
+
494f21
+dev_read_rand(sandbox_x_client_t)
494f21
+
494f21
+corenet_tcp_connect_ipp_port(sandbox_x_client_t)
070ff2
+
494f21
+auth_use_nsswitch(sandbox_x_client_t)
494f21
+
494f21
+dbus_system_bus_client(sandbox_x_client_t)
494f21
+dbus_read_config(sandbox_x_client_t)
494f21
+selinux_get_fs_mount(sandbox_x_client_t)
494f21
+selinux_validate_context(sandbox_x_client_t)
494f21
+selinux_compute_access_vector(sandbox_x_client_t)
494f21
+selinux_compute_create_context(sandbox_x_client_t)
494f21
+selinux_compute_relabel_context(sandbox_x_client_t)
494f21
+selinux_compute_user_contexts(sandbox_x_client_t)
494f21
+seutil_read_default_contexts(sandbox_x_client_t)
494f21
+
494f21
+optional_policy(`
494f21
+	hal_dbus_chat(sandbox_x_client_t)
494f21
+')
494f21
+
494f21
+########################################
494f21
+#
494f21
+# sandbox_web_client_t local policy
494f21
+#
494f21
+allow sandbox_web_client_t self:capability { setuid setgid };
494f21
+allow sandbox_web_client_t self:netlink_audit_socket nlmsg_relay;
494f21
+allow sandbox_web_client_t self:process setsched;
494f21
+
494f21
+allow sandbox_web_client_t self:tcp_socket create_socket_perms;
494f21
+allow sandbox_web_client_t self:udp_socket create_socket_perms;
494f21
+allow sandbox_web_client_t self:dbus { acquire_svc send_msg };
494f21
+allow sandbox_web_client_t self:netlink_selinux_socket create_socket_perms;
494f21
+
494f21
+dev_read_rand(sandbox_web_client_t)
494f21
+
494f21
+# Browse the web, connect to printer
494f21
+corenet_all_recvfrom_unlabeled(sandbox_web_client_t)
494f21
+corenet_all_recvfrom_netlabel(sandbox_web_client_t)
494f21
+corenet_tcp_sendrecv_generic_if(sandbox_web_client_t)
494f21
+corenet_raw_sendrecv_generic_if(sandbox_web_client_t)
494f21
+corenet_tcp_sendrecv_generic_node(sandbox_web_client_t)
494f21
+corenet_raw_sendrecv_generic_node(sandbox_web_client_t)
494f21
+corenet_tcp_sendrecv_http_port(sandbox_web_client_t)
494f21
+corenet_tcp_sendrecv_http_cache_port(sandbox_web_client_t)
494f21
+corenet_tcp_sendrecv_ftp_port(sandbox_web_client_t)
494f21
+corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t)
494f21
+corenet_tcp_connect_http_port(sandbox_web_client_t)
494f21
+corenet_tcp_connect_http_cache_port(sandbox_web_client_t)
494f21
+corenet_tcp_connect_ftp_port(sandbox_web_client_t)
494f21
+corenet_tcp_connect_ipp_port(sandbox_web_client_t)
494f21
+corenet_tcp_connect_generic_port(sandbox_web_client_t)
494f21
+corenet_sendrecv_http_client_packets(sandbox_web_client_t)
494f21
+corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t)
494f21
+corenet_sendrecv_ftp_client_packets(sandbox_web_client_t)
494f21
+corenet_sendrecv_ipp_client_packets(sandbox_web_client_t)
494f21
+corenet_sendrecv_generic_client_packets(sandbox_web_client_t)
494f21
+# Should not need other ports
494f21
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t)
494f21
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
494f21
+corenet_tcp_connect_speech_port(sandbox_web_client_t)
494f21
+
494f21
+auth_use_nsswitch(sandbox_web_client_t)
494f21
+
494f21
+dbus_system_bus_client(sandbox_web_client_t)
494f21
+dbus_read_config(sandbox_web_client_t)
494f21
+selinux_get_fs_mount(sandbox_web_client_t)
494f21
+selinux_validate_context(sandbox_web_client_t)
494f21
+selinux_compute_access_vector(sandbox_web_client_t)
494f21
+selinux_compute_create_context(sandbox_web_client_t)
494f21
+selinux_compute_relabel_context(sandbox_web_client_t)
494f21
+selinux_compute_user_contexts(sandbox_web_client_t)
494f21
+seutil_read_default_contexts(sandbox_web_client_t)
494f21
+
494f21
+optional_policy(`
494f21
+	nsplugin_read_rw_files(sandbox_web_client_t)
494f21
+	nsplugin_rw_exec(sandbox_web_client_t)
494f21
+')
494f21
+
494f21
+optional_policy(`
494f21
+	hal_dbus_chat(sandbox_web_client_t)
494f21
+')
494f21
+
494f21
+########################################
494f21
+#
494f21
+# sandbox_net_client_t local policy
494f21
+#
494f21
+allow sandbox_net_client_t self:tcp_socket create_socket_perms;
494f21
+allow sandbox_net_client_t self:udp_socket create_socket_perms;
494f21
+allow sandbox_net_client_t self:dbus { acquire_svc send_msg };
494f21
+allow sandbox_net_client_t self:netlink_selinux_socket create_socket_perms;
494f21
+
494f21
+dev_read_rand(sandbox_net_client_t)
494f21
 
494f21
-manage_dirs_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
494f21
-manage_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
494f21
-manage_lnk_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
494f21
-manage_fifo_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
494f21
-manage_sock_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
494f21
+corenet_all_recvfrom_unlabeled(sandbox_net_client_t)
494f21
+corenet_all_recvfrom_netlabel(sandbox_net_client_t)
494f21
+corenet_tcp_sendrecv_generic_if(sandbox_net_client_t)
494f21
+corenet_udp_sendrecv_generic_if(sandbox_net_client_t)
494f21
+corenet_tcp_sendrecv_generic_node(sandbox_net_client_t)
494f21
+corenet_udp_sendrecv_generic_node(sandbox_net_client_t)
494f21
+corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
494f21
+corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
494f21
+corenet_tcp_connect_all_ports(sandbox_net_client_t)
494f21
+corenet_sendrecv_all_client_packets(sandbox_net_client_t)
494f21
 
494f21
-files_rw_all_inherited_files(sandbox_t)
494f21
-files_entrypoint_all_files(sandbox_t)
494f21
+auth_use_nsswitch(sandbox_net_client_t)
494f21
 
494f21
-libs_use_ld_so(sandbox_t)
494f21
-libs_use_shared_libs(sandbox_t)
494f21
+dbus_system_bus_client(sandbox_net_client_t)
494f21
+dbus_read_config(sandbox_net_client_t)
494f21
+selinux_get_fs_mount(sandbox_net_client_t)
494f21
+selinux_validate_context(sandbox_net_client_t)
494f21
+selinux_compute_access_vector(sandbox_net_client_t)
494f21
+selinux_compute_create_context(sandbox_net_client_t)
494f21
+selinux_compute_relabel_context(sandbox_net_client_t)
494f21
+selinux_compute_user_contexts(sandbox_net_client_t)
494f21
+seutil_read_default_contexts(sandbox_net_client_t)
494f21
 
494f21
-miscfiles_read_localization(sandbox_t)
494f21
+optional_policy(`
494f21
+	nsplugin_read_rw_files(sandbox_web_client_t)
494f21
+	nsplugin_rw_exec(sandbox_web_client_t)
494f21
+')
494f21
 
494f21
-userdom_use_user_ptys(sandbox_t)
494f21
+optional_policy(`
494f21
+	hal_dbus_chat(sandbox_net_client_t)
494f21
+')
23ec6c
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.12/policy/modules/apps/screen.if
23ec6c
--- nsaserefpolicy/policy/modules/apps/screen.if	2009-06-25 10:19:43.000000000 +0200
23ec6c
+++ serefpolicy-3.6.12/policy/modules/apps/screen.if	2009-08-05 23:21:33.000000000 +0200
23ec6c
@@ -62,6 +62,7 @@
23ec6c
 	manage_dirs_pattern($1_screen_t, screen_dir_t, screen_dir_t)
23ec6c
 	filetrans_pattern($1_screen_t, screen_dir_t, screen_var_run_t, fifo_file)
23ec6c
 	files_pid_filetrans($1_screen_t, screen_dir_t, dir)
23ec6c
+	dontaudit $3 screen_var_run_t:fifo_file read;
23ec6c
 
23ec6c
 	allow $1_screen_t screen_home_t:dir list_dir_perms;
23ec6c
 	read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
2eeb52
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.12/policy/modules/apps/vmware.fc
26b349
--- nsaserefpolicy/policy/modules/apps/vmware.fc	2009-04-07 21:54:49.000000000 +0200
26b349
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.fc	2009-06-25 10:21:01.000000000 +0200
2eeb52
@@ -63,6 +63,7 @@
2eeb52
 ')
2eeb52
 
2eeb52
 /var/log/vmware.* 		--	gen_context(system_u:object_r:vmware_log_t,s0)
2eeb52
+/var/log/vnetlib.*		--	gen_context(system_u:object_r:vmware_log_t,s0)
2eeb52
 
2eeb52
 /var/run/vmnat.* 		-s	gen_context(system_u:object_r:vmware_var_run_t,s0)
2eeb52
 /var/run/vmware.* 			gen_context(system_u:object_r:vmware_var_run_t,s0)
2463bf
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.12/policy/modules/apps/vmware.te
26b349
--- nsaserefpolicy/policy/modules/apps/vmware.te	2009-06-25 10:19:44.000000000 +0200
26b349
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.te	2009-06-25 10:21:01.000000000 +0200
2463bf
@@ -136,7 +136,7 @@
2463bf
 
2463bf
 miscfiles_read_localization(vmware_host_t)
2463bf
 
2463bf
-sysnet_dns_name_resolve(vmware_host_t)
2463bf
+auth_use_nsswitch(vmware_host_t)
2463bf
 
2463bf
 storage_getattr_fixed_disk_dev(vmware_host_t)
2463bf
 
2463bf
@@ -160,6 +160,10 @@
2463bf
         xserver_common_app(vmware_host_t)
2463bf
 ')
2463bf
 
2463bf
+optional_policy(`
2463bf
+	unconfined_domain(vmware_host_t)
2463bf
+	unconfined_domain(vmware_t)
2463bf
+')
2463bf
 
2463bf
 ifdef(`TODO',`
2463bf
 # VMWare need access to pcmcia devices for network
036370
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
26b349
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2009-06-25 10:19:44.000000000 +0200
c7eb8b
+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc	2009-08-13 17:13:38.000000000 +0200
c7eb8b
@@ -7,6 +7,7 @@
036370
 /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
036370
 /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
036370
 /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
036370
+/bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
036370
 /bin/ksh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
036370
 /bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
036370
 /bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
c7eb8b
@@ -69,6 +70,8 @@
e6583a
 /etc/ppp/ipv6-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
e6583a
 /etc/ppp/ipv6-down\..*		--	gen_context(system_u:object_r:bin_t,s0)
e6583a
 
e6583a
+/etc/racoon/scripts(/.*)?  		gen_context(system_u:object_r:bin_t,s0)
e6583a
+
e6583a
 /etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)
e6583a
 
e6583a
 /etc/security/namespace.init    --      gen_context(system_u:object_r:bin_t,s0)
c7eb8b
@@ -119,6 +122,7 @@
c7eb8b
 /sbin/.*				gen_context(system_u:object_r:bin_t,s0)
c7eb8b
 /sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
c7eb8b
 /sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
c7eb8b
+/sbin/nologin                   --      gen_context(system_u:object_r:shell_exec_t,s0)
c7eb8b
 
c7eb8b
 #
c7eb8b
 # /opt
674dfa
@@ -145,6 +149,7 @@
036370
 /usr/(.*/)?Bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
036370
 /usr/(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
036370
 /usr/bin/git-shell		--	gen_context(system_u:object_r:shell_exec_t,s0)
036370
+/usr/bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
036370
 /usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
036370
 
036370
 /usr/lib(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
674dfa
@@ -217,8 +222,11 @@
70a0fb
 /usr/share/PackageKit/pk-upgrade-distro\.sh -- 	gen_context(system_u:object_r:bin_t,s0)
70a0fb
 /usr/share/PackageKit/helpers(/.*)?	gen_context(system_u:object_r:bin_t,s0)
70a0fb
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
70a0fb
+/usr/share/shorewall/configpath	--      gen_context(system_u:object_r:bin_t,s0)
70a0fb
+/usr/share/shorewall-perl(/.*)?	        gen_context(system_u:object_r:bin_t,s0)
70a0fb
 /usr/share/shorewall-shell(/.*)?        gen_context(system_u:object_r:bin_t,s0)
70a0fb
-/usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
70a0fb
+/usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
70a0fb
+/usr/share/shorewall6-lite(/.*)?        gen_context(system_u:object_r:bin_t,s0)
70a0fb
 
70a0fb
 /usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
70a0fb
 
00eb02
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in
26b349
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2009-06-25 10:19:44.000000000 +0200
674dfa
+++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in	2009-08-13 08:57:43.000000000 +0200
674dfa
@@ -107,6 +107,7 @@
674dfa
 network_port(giftd, tcp,1213,s0)
674dfa
 network_port(gopher, tcp,70,s0, udp,70,s0)
674dfa
 network_port(gpsd,tcp,2947,s0)
674dfa
+network_port(hddtemp, tcp,7634,s0)
674dfa
 network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
674dfa
 portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0)
674dfa
 network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
674dfa
@@ -116,7 +117,7 @@
68fb38
 network_port(imaze, tcp,5323,s0, udp,5323,s0)
68fb38
 network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
68fb38
 network_port(innd, tcp,119,s0)
68fb38
-network_port(ipp, tcp,631,s0, udp,631,s0)
68fb38
+network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8611,s0, udp,8611,s0)
68fb38
 network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
68fb38
 network_port(ircd, tcp,6667,s0)
68fb38
 network_port(ipmi, udp,623,s0, udp,664,s0)
674dfa
@@ -134,7 +135,7 @@
00eb02
 network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
00eb02
 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
00eb02
 network_port(lmtp, tcp,24,s0, udp,24,s0)
00eb02
-network_port(mail, tcp,2000,s0)
00eb02
+network_port(mail, tcp,2000,s0, tcp,3905,s0)
00eb02
 network_port(memcache, tcp,11211,s0, udp,11211,s0)
00eb02
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
00eb02
 network_port(monopd, tcp,1234,s0)
036370
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.12/policy/modules/kernel/devices.fc
26b349
--- nsaserefpolicy/policy/modules/kernel/devices.fc	2009-06-25 10:19:44.000000000 +0200
26b349
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.fc	2009-06-25 10:21:01.000000000 +0200
e6583a
@@ -46,8 +46,10 @@
e6583a
 /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
e6583a
 /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
036370
 /dev/kqemu		-c	gen_context(system_u:object_r:qemu_device_t,s0)
e6583a
+/dev/ksm		-c	gen_context(system_u:object_r:ksm_device_t,s0)
036370
 /dev/kvm		-c	gen_context(system_u:object_r:kvm_device_t,s0)
036370
 /dev/lik.*		-c	gen_context(system_u:object_r:event_device_t,s0)
036370
+/dev/lirc[0-9]+        -c      gen_context(system_u:object_r:lirc_device_t,s0)
036370
 /dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
036370
 /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
036370
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
036370
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if
26b349
--- nsaserefpolicy/policy/modules/kernel/devices.if	2009-06-25 10:19:44.000000000 +0200
be2bab
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if	2009-07-03 11:25:38.000000000 +0200
e6583a
@@ -1727,6 +1727,133 @@
036370
 
e6583a
 ########################################
e6583a
 ## <summary>
e6583a
+##	Get the attributes of the ksm devices.
e6583a
+## </summary>
e6583a
+## <param name="domain">
e6583a
+##	<summary>
e6583a
+##	Domain allowed access.
e6583a
+##	</summary>
e6583a
+## </param>
e6583a
+#
e6583a
+interface(`dev_getattr_ksm_dev',`
e6583a
+	gen_require(`
e6583a
+		type device_t, ksm_device_t;
e6583a
+	')
e6583a
+
e6583a
+	getattr_chr_files_pattern($1, device_t, ksm_device_t)
e6583a
+')
e6583a
+
e6583a
+########################################
e6583a
+## <summary>
e6583a
+##	Set the attributes of the ksm devices.
e6583a
+## </summary>
e6583a
+## <param name="domain">
e6583a
+##	<summary>
e6583a
+##	Domain allowed access.
e6583a
+##	</summary>
e6583a
+## </param>
e6583a
+#
e6583a
+interface(`dev_setattr_ksm_dev',`
e6583a
+	gen_require(`
e6583a
+		type device_t, ksm_device_t;
e6583a
+	')
e6583a
+
e6583a
+	setattr_chr_files_pattern($1, device_t, ksm_device_t)
e6583a
+')
e6583a
+
e6583a
+########################################
e6583a
+## <summary>
e6583a
+##	Read the ksm devices.
e6583a
+## </summary>
e6583a
+## <param name="domain">
e6583a
+##	<summary>
e6583a
+##	Domain allowed access.
e6583a
+##	</summary>
e6583a
+## </param>
e6583a
+#
e6583a
+interface(`dev_read_ksm',`
e6583a
+	gen_require(`
e6583a
+		type device_t, ksm_device_t;
e6583a
+	')
e6583a
+
e6583a
+	read_chr_files_pattern($1, device_t, ksm_device_t)
e6583a
+')
e6583a
+
e6583a
+########################################
e6583a
+## <summary>
e6583a
+##      Read and write to ksm devices.
e6583a
+## </summary>
e6583a
+## <param name="domain">
e6583a
+##	<summary>
e6583a
+##      Domain allowed access.
e6583a
+##	</summary>
e6583a
+## </param>
e6583a
+#
e6583a
+interface(`dev_rw_ksm',`
e6583a
+	gen_require(`
e6583a
+		type device_t, ksm_device_t;
e6583a
+	')
e6583a
+
e6583a
+	rw_chr_files_pattern($1, device_t, ksm_device_t)
e6583a
+')
e6583a
+
036370
+######################################
036370
+## <summary>
036370
+##      Read the lirc device.
036370
+## </summary>
036370
+## <param name="domain">
036370
+##      <summary>
036370
+##      Domain allowed access.
036370
+##      </summary>
036370
+## </param>
036370
+#
036370
+interface(`dev_read_lirc',`
036370
+        gen_require(`
036370
+                type device_t, lirc_device_t;
036370
+        ')
036370
+
036370
+        read_chr_files_pattern($1, device_t, lirc_device_t)
036370
+')
036370
+
036370
+######################################
036370
+## <summary>
036370
+##      Read and write the lirc device.
036370
+## </summary>
036370
+## <param name="domain">
036370
+##      <summary>
036370
+##      Domain allowed access.
036370
+##      </summary>
036370
+## </param>
036370
+#
036370
+interface(`dev_rw_lirc',`
036370
+        gen_require(`
036370
+                type device_t, lirc_device_t;
036370
+        ')
036370
+
036370
+        rw_chr_files_pattern($1, device_t, lirc_device_t)
036370
+')
036370
+
036370
+######################################
036370
+## <summary>
036370
+##      Automatic type transition to the type
036370
+##      for lirc device nodes when created in /dev.
036370
+## </summary>
036370
+## <param name="domain">
036370
+##      <summary>
036370
+##      Domain allowed access.
036370
+##      </summary>
036370
+## </param>
036370
+#
036370
+interface(`dev_filetrans_lirc',`
036370
+        gen_require(`
036370
+                type device_t, lirc_device_t;
036370
+        ')
036370
+
036370
+        filetrans_pattern($1, device_t, lirc_device_t, chr_file)
036370
+')
036370
+
e6583a
+########################################
e6583a
+## <summary>
036370
 ##	Read the lvm comtrol device.
e6583a
 ## </summary>
e6583a
 ## <param name="domain">
be2bab
@@ -3780,3 +3907,21 @@
be2bab
 
be2bab
 	typeattribute $1 devices_unconfined_type;
be2bab
 ')
be2bab
+
be2bab
+######################################
be2bab
+## <summary>
be2bab
+##      Set the attributes of the tty device
be2bab
+## </summary>
be2bab
+## <param name="domain">
be2bab
+##      <summary>
be2bab
+##      Domain allowed access.
be2bab
+##      </summary>
be2bab
+## </param>
be2bab
+#
be2bab
+interface(`dev_setattr_tty',`
be2bab
+       gen_require(`
be2bab
+               type devtty_t;
be2bab
+       ')
be2bab
+
be2bab
+       setattr_chr_files_pattern($1, devtty_t, devtty_t)
be2bab
+')
036370
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.12/policy/modules/kernel/devices.te
26b349
--- nsaserefpolicy/policy/modules/kernel/devices.te	2009-06-25 10:19:44.000000000 +0200
26b349
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.te	2009-06-25 10:21:01.000000000 +0200
e6583a
@@ -78,6 +78,13 @@
e6583a
 dev_node(ipmi_device_t)
e6583a
 
e6583a
 #
e6583a
+# ksm_device_t is the type of
e6583a
+# /dev/ksm
e6583a
+#
e6583a
+type ksm_device_t;
e6583a
+dev_node(ksm_device_t)
e6583a
+
e6583a
+#
e6583a
 # Type for /dev/kmsg
e6583a
 #
e6583a
 type kmsg_device_t;
e6583a
@@ -91,6 +98,12 @@
036370
 dev_node(kvm_device_t)
036370
 
036370
 #
036370
+# Type for /dev/lirc
036370
+#
036370
+type lirc_device_t;
036370
+dev_node(lirc_device_t)
036370
+
036370
+#
036370
 # Type for /dev/mapper/control
036370
 #
036370
 type lvm_control_t;
60c6cb
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
26b349
--- nsaserefpolicy/policy/modules/kernel/domain.if	2009-06-25 10:19:44.000000000 +0200
d9ce44
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if	2009-07-07 08:21:23.000000000 +0200
a0a290
@@ -44,34 +44,6 @@
a0a290
 interface(`domain_type',`
a0a290
 	# start with basic domain
a0a290
 	domain_base_type($1)
a0a290
-
a0a290
-	ifdef(`distro_redhat',`
a0a290
-		optional_policy(`
a0a290
-			unconfined_use_fds($1)
a0a290
-		')
a0a290
-	')
a0a290
-
a0a290
-	# send init a sigchld and signull
a0a290
-	optional_policy(`
a0a290
-		init_sigchld($1)
a0a290
-		init_signull($1)
a0a290
-	')
a0a290
-
a0a290
-	# these seem questionable:
a0a290
-
a0a290
-	optional_policy(`
a0a290
-		rpm_use_fds($1)
a0a290
-		rpm_read_pipes($1)
a0a290
-	')
a0a290
-
a0a290
-	optional_policy(`
60c6cb
-		selinux_dontaudit_getattr_fs($1)
e6583a
-		selinux_dontaudit_read_fs($1)
a0a290
-	')
a0a290
-
a0a290
-	optional_policy(`
a0a290
-		seutil_dontaudit_read_config($1)
a0a290
-	')
a0a290
 ')
60c6cb
 
a0a290
 ########################################
d9ce44
@@ -1338,3 +1310,20 @@
d9ce44
 	typeattribute $1 process_uncond_exempt;
d9ce44
 ')
d9ce44
 
d9ce44
+#######################################
d9ce44
+## <summary>
d9ce44
+## Send generic signals to the unconfined domains.
d9ce44
+## </summary>
d9ce44
+## <param name="domain">
d9ce44
+## <summary>
d9ce44
+## Domain allowed access.
d9ce44
+## </summary>
d9ce44
+## </param>
d9ce44
+#
d9ce44
+interface(`domain_unconfined_signal',`
d9ce44
+	gen_require(`
d9ce44
+		type unconfined_domain_type;
d9ce44
+	')
d9ce44
+
d9ce44
+	allow $1 unconfined_domain_type:process signal;
d9ce44
+')
e6583a
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
26b349
--- nsaserefpolicy/policy/modules/kernel/domain.te	2009-06-25 10:19:44.000000000 +0200
d92107
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te	2009-09-02 11:03:42.000000000 +0200
e6583a
@@ -91,6 +91,9 @@
e6583a
 kernel_read_proc_symlinks(domain)
e6583a
 kernel_read_crypto_sysctls(domain)
e6583a
 
e6583a
+# All executables should be able to search the directory they are in
e6583a
+corecmd_search_bin(domain)
e6583a
+
e6583a
 # Every domain gets the key ring, so we should default
e6583a
 # to no one allowed to look at it; afs kernel support creates
e6583a
 # a keyring
a0a290
@@ -108,6 +111,15 @@
a0a290
 # list the root directory
a0a290
 files_list_root(domain)
a0a290
 
a0a290
+selinux_getattr_fs(domain)
a0a290
+selinux_search_fs(domain)
a0a290
+selinux_dontaudit_read_fs(domain)
a0a290
+
a0a290
+init_sigchld(domain)
a0a290
+init_signull(domain)
a0a290
+
a0a290
+seutil_dontaudit_read_config(domain)
a0a290
+
a0a290
 tunable_policy(`global_ssp',`
a0a290
 	# enable reading of urandom for all domains:
a0a290
 	# this should be enabled when all programs
a0a290
@@ -116,6 +128,12 @@
a0a290
 	dev_read_urand(domain)
a0a290
 ')
a0a290
 
a0a290
+ifdef(`distro_redhat',`
a0a290
+	optional_policy(`
a0a290
+		unconfined_use_fds(domain)
a0a290
+	')
a0a290
+')
a0a290
+
a0a290
 optional_policy(`
a0a290
 	afs_rw_cache(domain)
a0a290
 ')
d92107
@@ -125,6 +143,13 @@
a0a290
 	libs_use_shared_libs(domain)
a0a290
 ')
a0a290
 
a0a290
+# these seem questionable:
a0a290
+optional_policy(`
a0a290
+	rpm_use_fds(domain)
a0a290
+	rpm_read_pipes(domain)
d92107
+	rpm_dontaudit_leaks(domain)
a0a290
+')
a0a290
+
a0a290
 optional_policy(`
a0a290
 	setrans_translate_context(domain)
a0a290
 ')
d92107
@@ -152,8 +177,7 @@
8bec04
 allow unconfined_domain_type domain:fd use;
8bec04
 allow unconfined_domain_type domain:fifo_file rw_file_perms;
8bec04
 
8bec04
-allow unconfined_domain_type domain:dbus send_msg;
8bec04
-allow domain unconfined_domain_type:dbus send_msg;
8bec04
+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
8bec04
 
8bec04
 # Act upon any other process.
8bec04
 allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
d92107
@@ -185,7 +209,10 @@
40f5c9
 
494f21
 ifdef(`hide_broken_symptoms',`
494f21
 	fs_list_inotifyfs(domain)
40f5c9
+	dontaudit domain self:udp_socket listen;
494f21
 	allow domain domain:key { link search };
494f21
+	dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
832e49
+	cron_dontaudit_rw_tcp_sockets(domain)
494f21
 ')
494f21
 ')
494f21
 
070ff2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
26b349
--- nsaserefpolicy/policy/modules/kernel/files.if	2009-06-25 10:19:44.000000000 +0200
a0754b
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if	2009-09-14 14:40:51.000000000 +0200
a0754b
@@ -1953,6 +1953,8 @@