d4151f
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.32/policy/modules/admin/smoltclient.te
d4151f
--- nsaserefpolicy/policy/modules/admin/smoltclient.te	2010-01-18 18:24:22.573543214 +0100
d4151f
+++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.te	2010-01-25 11:03:49.548441857 +0100
d4151f
@@ -48,6 +48,8 @@
d4151f
 files_read_etc_files(smoltclient_t)
d4151f
 files_read_usr_files(smoltclient_t)
d4151f
 
d4151f
+logging_send_syslog_msg(smoltclient_t)
d4151f
+
d4151f
 miscfiles_read_localization(smoltclient_t)
d4151f
 
d4151f
 optional_policy(`
e1add2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.32/policy/modules/admin/usermanage.te
e1add2
--- nsaserefpolicy/policy/modules/admin/usermanage.te	2010-01-18 18:24:22.584530156 +0100
e1add2
+++ serefpolicy-3.6.32/policy/modules/admin/usermanage.te	2010-01-26 14:45:59.214713808 +0100
e1add2
@@ -122,6 +122,10 @@
e1add2
 # on user home dir
e1add2
 userdom_dontaudit_search_user_home_content(chfn_t)
e1add2
 
e1add2
+optional_policy(`
e1add2
+	nx_exec_server(chfn_t)
e1add2
+')
e1add2
+
e1add2
 ########################################
e1add2
 #
e1add2
 # Crack local policy
8067f5
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.32/policy/modules/apps/gnome.fc
8067f5
--- nsaserefpolicy/policy/modules/apps/gnome.fc	2010-01-18 18:24:22.594539949 +0100
8067f5
+++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc	2010-01-21 18:31:02.867611919 +0100
8067f5
@@ -3,6 +3,14 @@
8067f5
 HOME_DIR/\.gnome2(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
8067f5
 HOME_DIR/\.local.*		gen_context(system_u:object_r:gconf_home_t,s0)
8067f5
 HOME_DIR/\.pulse(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
8067f5
+HOME_DIR/\.gstreamer-.*	gen_context(system_u:object_r:gstreamer_home_t,s0)
8067f5
+
8067f5
+/root/\.config(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
8067f5
+/root/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
8067f5
+/root/\.gnome2(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
8067f5
+/root/\.local.*		gen_context(system_u:object_r:gconf_home_t,s0)
8067f5
+/root/\.pulse(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
8067f5
+/root/\.gstreamer-.*	gen_context(system_u:object_r:gstreamer_home_t,s0)
8067f5
 
8067f5
 /etc/gconf(/.*)?		gen_context(system_u:object_r:gconf_etc_t,s0)
8067f5
 
8067f5
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.32/policy/modules/apps/gnome.if
8067f5
--- nsaserefpolicy/policy/modules/apps/gnome.if	2010-01-18 18:24:22.595534558 +0100
8067f5
+++ serefpolicy-3.6.32/policy/modules/apps/gnome.if	2010-01-21 18:31:10.642612238 +0100
8067f5
@@ -84,12 +84,12 @@
8067f5
 #
8067f5
 interface(`gnome_manage_config',`
8067f5
 	gen_require(`
8067f5
-		type gnome_home_t;
8067f5
+		attribute gnome_home_type;	
8067f5
 	')
8067f5
 
8067f5
-	allow $1 gnome_home_t:dir manage_dir_perms;
8067f5
-	allow $1 gnome_home_t:file manage_file_perms;
8067f5
-	allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
8067f5
+	allow $1 gnome_home_type:dir manage_dir_perms;
8067f5
+	allow $1 gnome_home_type:file manage_file_perms;
8067f5
+	allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
8067f5
 	userdom_search_user_home_dirs($1)
8067f5
 ')
8067f5
 
8067f5
@@ -129,12 +129,12 @@
8067f5
 #
8067f5
 template(`gnome_read_config',`
8067f5
 	gen_require(`
8067f5
-		type gnome_home_t;
8067f5
+		attribute gnome_home_type;	
8067f5
 	')
8067f5
 
8067f5
-	list_dirs_pattern($1, gnome_home_t, gnome_home_t)
8067f5
-	read_files_pattern($1, gnome_home_t, gnome_home_t)
8067f5
-	read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
8067f5
+	list_dirs_pattern($1, gnome_home_type, gnome_home_type)
8067f5
+	read_files_pattern($1, gnome_home_type, gnome_home_type)
8067f5
+	read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
8067f5
 ')
8067f5
 
8067f5
 ########################################
8067f5
@@ -255,11 +255,11 @@
8067f5
 #
8067f5
 interface(`gnome_stream_connect',`
8067f5
 	gen_require(`
8067f5
-		type gnome_home_t;
8067f5
+		attribute gnome_home_type;	
8067f5
 	')
8067f5
 
8067f5
 	# Connect to pulseaudit server
8067f5
-	stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2)
8067f5
+	stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
8067f5
 ')
8067f5
 
8067f5
 ########################################
8067f5
@@ -274,8 +274,8 @@
8067f5
 #
8067f5
 interface(`gnome_write_inherited_config',`
8067f5
 	gen_require(`
8067f5
-		type gnome_home_t;
8067f5
+		attribute gnome_home_type;
8067f5
 	')
8067f5
 
8067f5
-	allow $1 gnome_home_t:file rw_inherited_file_perms;
8067f5
+	allow $1 gnome_home_type:file rw_inherited_file_perms;
8067f5
 ')
8067f5
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.32/policy/modules/apps/gnome.te
8067f5
--- nsaserefpolicy/policy/modules/apps/gnome.te	2010-01-18 18:24:22.596529936 +0100
8067f5
+++ serefpolicy-3.6.32/policy/modules/apps/gnome.te	2010-01-21 18:31:15.086614286 +0100
8067f5
@@ -7,6 +7,7 @@
8067f5
 #
8067f5
 
8067f5
 attribute gnomedomain;
8067f5
+attribute gnome_home_type;
8067f5
 
8067f5
 type gconf_etc_t;
8067f5
 files_config_file(gconf_etc_t)
8067f5
@@ -31,12 +32,15 @@
8067f5
 application_domain(gconfd_t, gconfd_exec_t)
8067f5
 ubac_constrained(gconfd_t)
8067f5
 
8067f5
-type gnome_home_t;
8067f5
+type gnome_home_t, gnome_home_type;
8067f5
 typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
8067f5
 typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
8067f5
 typealias gnome_home_t alias unconfined_gnome_home_t;
8067f5
 userdom_user_home_content(gnome_home_t)
8067f5
 
8067f5
+type gstreamer_home_t, gnome_home_type;
8067f5
+userdom_user_home_content(gstreamer_home_t)
8067f5
+
8067f5
 type gconfdefaultsm_t;
8067f5
 type gconfdefaultsm_exec_t;
8067f5
 dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
8e9aa2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.6.32/policy/modules/apps/gpg.fc
8e9aa2
--- nsaserefpolicy/policy/modules/apps/gpg.fc	2009-09-16 16:01:19.000000000 +0200
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/apps/gpg.fc	2010-01-19 12:03:52.541857693 +0100
8e9aa2
@@ -1,5 +1,7 @@
8e9aa2
 HOME_DIR/\.gnupg(/.+)?		gen_context(system_u:object_r:gpg_secret_t,s0)
8e9aa2
 
8e9aa2
+/root/\.gnupg(/.+)?  gen_context(system_u:object_r:gpg_secret_t,s0)
8e9aa2
+
8e9aa2
 /usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
8e9aa2
 /usr/bin/gpg-agent	--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
8e9aa2
 /usr/bin/kgpg		--	gen_context(system_u:object_r:gpg_exec_t,s0)
126a81
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.32/policy/modules/apps/gpg.te
126a81
--- nsaserefpolicy/policy/modules/apps/gpg.te	2010-01-18 18:24:22.605530382 +0100
126a81
+++ serefpolicy-3.6.32/policy/modules/apps/gpg.te	2010-01-20 16:53:29.744859902 +0100
126a81
@@ -112,11 +112,6 @@
126a81
 
126a81
 userdom_use_user_terminals(gpg_t)
126a81
 
126a81
-optional_policy(`
126a81
-	cron_system_entry(gpg_t, gpg_exec_t)
126a81
-	cron_read_system_job_tmp_files(gpg_t)
126a81
-')
126a81
-
126a81
 ########################################
126a81
 #
126a81
 # GPG helper local policy
b32d59
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.32/policy/modules/apps/mozilla.fc
8e9aa2
--- nsaserefpolicy/policy/modules/apps/mozilla.fc	2010-01-18 18:24:22.616539953 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.fc	2010-01-18 18:27:02.741544960 +0100
b32d59
@@ -11,6 +11,7 @@
b32d59
 /usr/bin/netscape		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
b32d59
 /usr/bin/mozilla		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
b32d59
 /usr/bin/mozilla-snapshot	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
b32d59
+/usr/bin/epiphany			--	gen_context(system_u:object_r:mozilla_exec_t,s0)
b32d59
 /usr/bin/epiphany-bin		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
b32d59
 /usr/bin/mozilla-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
b32d59
 /usr/bin/mozilla-bin-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
8067f5
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc
8067f5
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc	2010-01-18 18:24:22.626536127 +0100
8067f5
+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc	2010-01-21 18:31:18.271612626 +0100
8067f5
@@ -1,6 +1,5 @@
8067f5
 HOME_DIR/\.adobe(/.*)?			gen_context(system_u:object_r:nsplugin_home_t,s0)
8067f5
 HOME_DIR/\.macromedia(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
8067f5
-HOME_DIR/\.gstreamer-.*			gen_context(system_u:object_r:nsplugin_home_t,s0)
8067f5
 HOME_DIR/\.gcjwebplugin(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
8067f5
 HOME_DIR/\.icedteaplugin(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
8067f5
 
8e9aa2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.32/policy/modules/apps/podsleuth.te
8e9aa2
--- nsaserefpolicy/policy/modules/apps/podsleuth.te	2010-01-18 18:24:22.631540185 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/apps/podsleuth.te	2010-01-19 11:53:14.080857057 +0100
8e9aa2
@@ -73,6 +73,7 @@
8e9aa2
 
8e9aa2
 sysnet_dns_name_resolve(podsleuth_t)
8e9aa2
 
8e9aa2
+userdom_read_user_tmpfs_files(podsleuth_t)
8e9aa2
 userdom_signal_unpriv_users(podsleuth_t)
8e9aa2
 
8e9aa2
 optional_policy(`
8ad564
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
8e9aa2
--- nsaserefpolicy/policy/modules/apps/sandbox.if	2010-01-18 18:24:22.648539903 +0100
c17c44
+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if	2010-01-22 15:41:50.752727640 +0100
8ad564
@@ -45,9 +45,10 @@
8ad564
 	allow sandbox_x_domain $1:process { sigchld signal };
8ad564
 	allow sandbox_x_domain sandbox_x_domain:process signal;
8ad564
 	# Dontaudit leaked file descriptors
8ad564
-	dontaudit sandbox_x_domain $1:fifo_file rw_fifo_file_perms;
8ad564
+	dontaudit sandbox_x_domain $1:fifo_file { read write };
8ad564
 	dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
8ad564
 	dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
8ad564
+	dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
8ad564
 	
8ad564
 	manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
8ad564
 	manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
8ad564
@@ -103,9 +104,10 @@
8ad564
 #
8ad564
 template(`sandbox_x_domain_template',`
8ad564
 	gen_require(`
8ad564
-		type xserver_exec_t;
8ad564
+		type xserver_exec_t, sandbox_devpts_t;
8ad564
 		type sandbox_xserver_t;
8ad564
 		attribute sandbox_domain, sandbox_x_domain;
8ad564
+		attribute sandbox_file_type;
8ad564
 	')
8ad564
 
8ad564
 	type $1_t, sandbox_x_domain;
c17c44
@@ -122,7 +124,7 @@
c17c44
 	manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
c17c44
 
c17c44
 	# window manager
c17c44
-	miscfiles_setattr_fonts_dirs($1_t)
c17c44
+	miscfiles_setattr_fonts_cache_dirs($1_t)
c17c44
 	allow $1_t self:capability setuid;
c17c44
 
c17c44
 	type $1_client_t, sandbox_x_domain;
c17c44
@@ -156,6 +158,8 @@
c17c44
 	ps_process_pattern(sandbox_xserver_t, $1_t)
c17c44
 	allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
c17c44
 	allow sandbox_xserver_t $1_t:shm rw_shm_perms;
c17c44
+	allow $1_client_t $1_t:unix_stream_socket connectto;
c17c44
+	allow $1_t $1_client_t:unix_stream_socket connectto;
c17c44
 
c17c44
 	can_exec($1_client_t, $1_file_t)
c17c44
 	manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t)
c17c44
@@ -163,10 +167,6 @@
8ad564
 	manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
8ad564
 	manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
8ad564
 	manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
8ad564
-
8ad564
-	optional_policy(`
8ad564
-		xserver_common_app($1_t)
8ad564
-	')
8ad564
 ')
8ad564
 
8ad564
 ########################################
c17c44
@@ -187,3 +187,39 @@
8ad564
 
8ad564
 	allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
8ad564
 ')
8ad564
+
8ad564
+########################################
8ad564
+## <summary>
8ad564
+##	allow domain to delete sandbox files
8ad564
+## </summary>
8ad564
+## <param name="domain">
8ad564
+##	<summary>
8ad564
+##	Domain to not audit.
8ad564
+##	</summary>
8ad564
+## </param>
8ad564
+#
8ad564
+interface(`sandbox_delete_files',`
8ad564
+	gen_require(`
8ad564
+		attribute sandbox_file_type;
8ad564
+	')
8ad564
+
8ad564
+	delete_files_pattern($1, sandbox_file_type, sandbox_file_type)
8ad564
+')
8ad564
+
8ad564
+########################################
8ad564
+## <summary>
8ad564
+##	allow domain to delete sandbox files
8ad564
+## </summary>
8ad564
+## <param name="domain">
8ad564
+##	<summary>
8ad564
+##	Domain to not audit.
8ad564
+##	</summary>
8ad564
+## </param>
8ad564
+#
8ad564
+interface(`sandbox_delete_dirs',`
8ad564
+	gen_require(`
8ad564
+		attribute sandbox_file_type;
8ad564
+	')
8ad564
+
8ad564
+	delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
8ad564
+')
8ad564
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
8e9aa2
--- nsaserefpolicy/policy/modules/apps/sandbox.te	2010-01-18 18:24:22.649539960 +0100
c17c44
+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te	2010-01-22 15:41:56.778871235 +0100
8ad564
@@ -10,14 +10,15 @@
8ad564
 #
8ad564
 
8ad564
 sandbox_domain_template(sandbox)
8ad564
+sandbox_x_domain_template(sandbox_min)
8ad564
 sandbox_x_domain_template(sandbox_x)
8ad564
 sandbox_x_domain_template(sandbox_web)
8ad564
 sandbox_x_domain_template(sandbox_net)
8ad564
 
8ad564
 type sandbox_xserver_t;
8ad564
 domain_type(sandbox_xserver_t)
8ad564
-xserver_common_app(sandbox_xserver_t)
8ad564
 permissive sandbox_xserver_t;
8ad564
+xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
8ad564
 
8ad564
 type sandbox_xserver_tmpfs_t;
8ad564
 files_tmpfs_file(sandbox_xserver_tmpfs_t)
8ad564
@@ -92,10 +93,6 @@
8ad564
 	')
8ad564
 ')
8ad564
 
8ad564
-optional_policy(`
8ad564
-	xserver_common_app(sandbox_xserver_t)
8ad564
-')
8ad564
-
8ad564
 ########################################
8ad564
 #
8ad564
 # sandbox local policy
8ad564
@@ -104,7 +101,7 @@
8ad564
 ## internal communication is often done using fifo and unix sockets.
8ad564
 allow sandbox_domain self:fifo_file manage_file_perms;
8ad564
 allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
8ad564
-allow sandbox_domain self:unix_dgram_socket create_socket_perms;
8ad564
+allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
8ad564
 
8ad564
 gen_require(`
8ad564
 	type usr_t, lib_t, locale_t;
c17c44
@@ -132,7 +129,7 @@
c17c44
 allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
c17c44
 allow sandbox_x_domain self:shm create_shm_perms;
c17c44
 allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
c17c44
-allow sandbox_x_domain self:unix_dgram_socket create_socket_perms;
c17c44
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
c17c44
 allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
c17c44
 dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
c17c44
 
c17c44
@@ -161,14 +158,14 @@
8ad564
 
8ad564
 auth_dontaudit_read_login_records(sandbox_x_domain)
8ad564
 auth_dontaudit_write_login_records(sandbox_x_domain)
8ad564
-#auth_use_nsswitch(sandbox_x_domain)
8ad564
+auth_use_nsswitch(sandbox_x_domain)
8ad564
 auth_search_pam_console_data(sandbox_x_domain)
8ad564
 
8ad564
 init_read_utmp(sandbox_x_domain)
c17c44
 init_dontaudit_write_utmp(sandbox_x_domain)
c17c44
 
c17c44
 miscfiles_read_localization(sandbox_x_domain)
c17c44
-miscfiles_dontaudit_setattr_fonts_dirs(sandbox_x_domain)
c17c44
+miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
c17c44
 
c17c44
 term_getattr_pty_fs(sandbox_x_domain)
c17c44
 term_use_ptmx(sandbox_x_domain)
c17c44
@@ -179,12 +176,24 @@
8ad564
 miscfiles_read_fonts(sandbox_x_domain)
8ad564
 
8ad564
 optional_policy(`
8ad564
+	cups_stream_connect(sandbox_x_domain)
8ad564
+	cups_read_rw_config(sandbox_x_domain)
8ad564
+')
8ad564
+
8ad564
+optional_policy(`
c17c44
+	dbus_system_bus_client(sandbox_x_domain)
c17c44
+')
c17c44
+
c17c44
+optional_policy(`
8ad564
 	gnome_read_gconf_config(sandbox_x_domain)
8ad564
 ')
8ad564
 
8ad564
 optional_policy(`
8ad564
-	cups_stream_connect(sandbox_x_domain)
8ad564
-	cups_read_rw_config(sandbox_x_domain)
8ad564
+	nscd_dontaudit_search_pid(sandbox_x_domain)
8ad564
+')
8ad564
+
8ad564
+optional_policy(`
8ad564
+	sssd_dontaudit_search_lib(sandbox_x_domain)
8ad564
 ')
8ad564
 
8ad564
 userdom_dontaudit_use_user_terminals(sandbox_x_domain)
c17c44
@@ -207,10 +216,8 @@
8ad564
 
8ad564
 corenet_tcp_connect_ipp_port(sandbox_x_client_t)
8ad564
 
8ad564
-#auth_use_nsswitch(sandbox_x_client_t)
8ad564
+auth_use_nsswitch(sandbox_x_client_t)
8ad564
 
c17c44
-dbus_system_bus_client(sandbox_x_client_t)
c17c44
-dbus_read_config(sandbox_x_client_t)
c17c44
 selinux_get_fs_mount(sandbox_x_client_t)
c17c44
 selinux_validate_context(sandbox_x_client_t)
c17c44
 selinux_compute_access_vector(sandbox_x_client_t)
c17c44
@@ -267,7 +274,7 @@
8ad564
 corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
8ad564
 corenet_tcp_connect_speech_port(sandbox_web_client_t)
8ad564
 
8ad564
-#auth_use_nsswitch(sandbox_web_client_t)
8ad564
+auth_use_nsswitch(sandbox_web_client_t)
8ad564
 
8ad564
 dbus_system_bus_client(sandbox_web_client_t)
8ad564
 dbus_read_config(sandbox_web_client_t)
c17c44
@@ -310,7 +317,7 @@
8ad564
 corenet_tcp_connect_all_ports(sandbox_net_client_t)
8ad564
 corenet_sendrecv_all_client_packets(sandbox_net_client_t)
8ad564
 
8ad564
-#auth_use_nsswitch(sandbox_net_client_t)
8ad564
+auth_use_nsswitch(sandbox_net_client_t)
8ad564
 
8ad564
 dbus_system_bus_client(sandbox_net_client_t)
8ad564
 dbus_read_config(sandbox_net_client_t)
d4151f
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.6.32/policy/modules/apps/vmware.if
d4151f
--- nsaserefpolicy/policy/modules/apps/vmware.if	2009-09-16 16:01:19.000000000 +0200
d4151f
+++ serefpolicy-3.6.32/policy/modules/apps/vmware.if	2010-01-25 17:40:10.448685801 +0100
d4151f
@@ -30,6 +30,24 @@
d4151f
 	allow $2 vmware_t:process signal;
d4151f
 ')
d4151f
 
d4151f
+#######################################
d4151f
+## <summary>
d4151f
+## 	Execute vmware host executables
d4151f
+## </summary>
d4151f
+## <param name="domain">
d4151f
+## <summary>
d4151f
+## 	Domain allowed access.
d4151f
+## </summary>
d4151f
+## </param>
d4151f
+#
d4151f
+interface(`vmware_exec_host',`
d4151f
+	gen_require(`
d4151f
+		type vmware_host_exec_t;
d4151f
+	')
d4151f
+
d4151f
+	can_exec($1, vmware_host_exec_t)
d4151f
+')
d4151f
+      
d4151f
 ########################################
d4151f
 ## <summary>
d4151f
 ##	Read VMWare system configuration files.
1fed36
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.32/policy/modules/apps/wine.if
8e9aa2
--- nsaserefpolicy/policy/modules/apps/wine.if	2010-01-18 18:24:22.657540000 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/apps/wine.if	2010-01-18 18:27:02.744541291 +0100
1fed36
@@ -143,6 +143,10 @@
1fed36
 	userdom_unpriv_usertype($1, $1_wine_t)
1fed36
 	userdom_manage_tmpfs_role($2, $1_wine_t)
1fed36
 
1fed36
+	tunable_policy(`wine_mmap_zero_ignore',`
1fed36
+		allow $1_wine_t self:memprotect mmap_zero;
1fed36
+	')
1fed36
+
1fed36
 	domain_mmap_low_type($1_wine_t)
1fed36
 	tunable_policy(`mmap_low_allowed',`
1fed36
 		domain_mmap_low($1_wine_t)
1fed36
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.32/policy/modules/apps/wine.te
8e9aa2
--- nsaserefpolicy/policy/modules/apps/wine.te	2010-01-18 18:24:22.664530344 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/apps/wine.te	2010-01-18 18:27:02.745530942 +0100
1fed36
@@ -6,6 +6,15 @@
1fed36
 # Declarations
1fed36
 #
1fed36
 
1fed36
+## <desc>
1fed36
+## 

1fed36
+## Ignore wine mmap_zero errors
1fed36
+## 

1fed36
+## </desc>
1fed36
+#
1fed36
+gen_tunable(wine_mmap_zero_ignore, false)
1fed36
+
1fed36
+
1fed36
 type wine_t;
1fed36
 type wine_exec_t;
1fed36
 application_domain(wine_t, wine_exec_t)
1fed36
@@ -29,6 +38,11 @@
1fed36
 manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
1fed36
 files_tmp_filetrans(wine_t, wine_tmp_t,{ file dir })
1fed36
 
1fed36
+tunable_policy(`wine_mmap_zero_ignore',`
1fed36
+	allow wine_t self:memprotect mmap_zero;
1fed36
+')
1fed36
+
1fed36
+
1fed36
 domain_mmap_low_type(wine_t)
1fed36
 tunable_policy(`mmap_low_allowed',`
1fed36
 	domain_mmap_low(wine_t)
8e9aa2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in
8e9aa2
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2010-01-18 18:24:22.668540002 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in	2010-01-19 12:10:56.565608631 +0100
8e9aa2
@@ -92,8 +92,8 @@
8e9aa2
 network_port(dbskkd, tcp,1178,s0)
8e9aa2
 network_port(dcc, udp,6276,s0, udp,6277,s0)
8e9aa2
 network_port(dccm, tcp,5679,s0, udp,5679,s0)
8e9aa2
-network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,547,s0, tcp, 547,s0)
8e9aa2
-network_port(dhcpd, udp,67,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
8e9aa2
+network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
8e9aa2
+network_port(dhcpd, udp,67,s0, udp,547,s0, tcp,547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
8e9aa2
 network_port(dict, tcp,2628,s0)
8e9aa2
 network_port(distccd, tcp,3632,s0)
8e9aa2
 network_port(dns, udp,53,s0, tcp,53,s0)
738cda
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
8e9aa2
--- nsaserefpolicy/policy/modules/kernel/devices.fc	2010-01-18 18:24:22.670530409 +0100
e1add2
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc	2010-01-27 17:35:56.087613943 +0100
e1add2
@@ -103,6 +103,7 @@
e1add2
 /dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
e1add2
 /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
e1add2
 /dev/ub[a-c]		-c	gen_context(system_u:object_r:usb_device_t,s0)
e1add2
+/dev/usbmon.+       -c  gen_context(system_u:object_r:usbmon_device_t,s0)
e1add2
 /dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
e1add2
 /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
e1add2
 ifdef(`distro_suse', `
e1add2
@@ -162,6 +163,8 @@
738cda
 /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
738cda
 /dev/usb/scanner.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
738cda
 
738cda
+/dev/uio[0-9]+      	-c  	gen_context(system_u:object_r:userio_device_t,s0)
738cda
+
738cda
 /dev/xen/blktap.*	-c	gen_context(system_u:object_r:xen_device_t,s0)
738cda
 /dev/xen/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
738cda
 
738cda
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
8e9aa2
--- nsaserefpolicy/policy/modules/kernel/devices.if	2010-01-18 18:24:22.673530022 +0100
e1add2
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if	2010-01-27 17:35:46.879614965 +0100
e1add2
@@ -3551,6 +3551,24 @@
e1add2
 	rw_chr_files_pattern($1, device_t, usb_device_t)
e1add2
 ')
e1add2
 
e1add2
+######################################
e1add2
+## <summary>
e1add2
+##  Read USB monitor devices.
e1add2
+## </summary>
e1add2
+## <param name="domain">
e1add2
+##  <summary>
e1add2
+##  Domain allowed access.
e1add2
+##  </summary>
e1add2
+## </param>
e1add2
+#
e1add2
+interface(`dev_read_usbmon_dev',`
e1add2
+    gen_require(`
e1add2
+        type device_t, usbmon_device_t;
e1add2
+    ')
e1add2
+
e1add2
+    read_chr_files_pattern($1, device_t, usbmon_device_t)
e1add2
+')
e1add2
+
e1add2
 ########################################
e1add2
 ## <summary>
e1add2
 ##	Mount a usbfs filesystem.
e1add2
@@ -3833,6 +3851,24 @@
738cda
 	write_chr_files_pattern($1, device_t, v4l_device_t)
738cda
 ')
738cda
 
738cda
+#####################################
738cda
+## <summary>
738cda
+##  Read or write userio device.
738cda
+## </summary>
738cda
+## <param name="domain">
738cda
+##  <summary>
738cda
+##  Domain allowed access.
738cda
+##  </summary>
738cda
+## </param>
738cda
+#
738cda
+interface(`dev_rw_userio_dev',`
738cda
+    	gen_require(`
738cda
+        	type device_t, userio_device_t;
738cda
+    	')
738cda
+
738cda
+    	rw_chr_files_pattern($1, device_t, userio_device_t)
738cda
+')
738cda
+
738cda
 ########################################
738cda
 ## <summary>
738cda
 ##	Read and write VMWare devices.
738cda
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te
8e9aa2
--- nsaserefpolicy/policy/modules/kernel/devices.te	2010-01-18 18:24:22.675530137 +0100
e1add2
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.te	2010-01-27 17:34:18.787624215 +0100
e1add2
@@ -228,11 +228,23 @@
e1add2
 genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
e1add2
 
e1add2
 #
e1add2
+# usbmon_device_t is the type for /dev/usbmon
e1add2
+#
e1add2
+type usbmon_device_t;
e1add2
+dev_node(usbmon_device_t)
e1add2
+
e1add2
+#
e1add2
 # usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
e1add2
 #
738cda
 type usb_device_t;
738cda
 dev_node(usb_device_t)
738cda
 
738cda
+#
738cda
+# userio_device_t is the type for /dev/uio[0-9]+
738cda
+#
738cda
+type userio_device_t;
738cda
+dev_node(userio_device_t)
738cda
+
738cda
 type v4l_device_t;
738cda
 dev_node(v4l_device_t)
738cda
 
b32d59
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc
8e9aa2
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc	2010-01-18 18:24:22.720530134 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc	2010-01-18 18:27:02.752530994 +0100
b32d59
@@ -2,7 +2,7 @@
b32d59
 # e.g.:
b32d59
 # /usr/local/bin/appsrv		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
b32d59
 # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
b32d59
-/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
b32d59
+/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
b32d59
 /usr/sbin/mock			    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
b32d59
 /usr/sbin/sysreport	 	    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
b32d59
 
b32d59
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
8e9aa2
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te	2010-01-18 18:24:22.722530039 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te	2010-01-18 18:27:02.753530981 +0100
b32d59
@@ -39,6 +39,8 @@
b32d59
 type unconfined_exec_t;
b32d59
 init_system_domain(unconfined_t, unconfined_exec_t)
b32d59
 role unconfined_r types unconfined_t;
b32d59
+role_transition system_r unconfined_exec_t unconfined_r;
b32d59
+allow system_r unconfined_r;
b32d59
 
b32d59
 domain_user_exemption_target(unconfined_t)
b32d59
 allow system_r unconfined_r;
d5b741
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te
8e9aa2
--- nsaserefpolicy/policy/modules/roles/xguest.te	2010-01-18 18:24:22.724546986 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te	2010-01-18 18:27:02.754531109 +0100
d5b741
@@ -15,7 +15,7 @@
d5b741
 
d5b741
 ## <desc>
d5b741
 ## 

d5b741
-## Allow xguest to configure Network Manager
d5b741
+## Allow xguest to configure Network Manager and connect to apache ports
d5b741
 ## 

d5b741
 ## </desc>
d5b741
 gen_tunable(xguest_connect_network, true)
e0dd17
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
8e9aa2
--- nsaserefpolicy/policy/modules/services/abrt.te	2010-01-18 18:24:22.727540243 +0100
e1add2
+++ serefpolicy-3.6.32/policy/modules/services/abrt.te	2010-01-27 15:33:53.900626544 +0100
e0dd17
@@ -96,6 +96,7 @@
e0dd17
 corenet_tcp_connect_ftp_port(abrt_t)
e0dd17
 corenet_tcp_connect_all_ports(abrt_t)
e0dd17
 
e0dd17
+dev_getattr_all_chr_files(abrt_t)
e0dd17
 dev_read_urand(abrt_t)
e0dd17
 dev_rw_sysfs(abrt_t)
e0dd17
 dev_dontaudit_read_memory_dev(abrt_t)
e1add2
@@ -200,10 +201,13 @@
e1add2
 files_read_etc_files(abrt_helper_t)
e1add2
 files_dontaudit_all_non_security_leaks(abrt_helper_t)
e1add2
 
e1add2
+fs_getattr_all_fs(abrt_helper_t)
e1add2
 fs_list_inotifyfs(abrt_helper_t)
e1add2
 
e1add2
 auth_use_nsswitch(abrt_helper_t)
e1add2
 
e1add2
+logging_send_syslog_msg(abrt_helper_t)
e1add2
+
e1add2
 miscfiles_read_localization(abrt_helper_t)
e1add2
 
e1add2
 userdom_dontaudit_use_user_terminals(abrt_helper_t)
126a81
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.32/policy/modules/services/afs.te
126a81
--- nsaserefpolicy/policy/modules/services/afs.te	2010-01-18 18:24:22.729540009 +0100
126a81
+++ serefpolicy-3.6.32/policy/modules/services/afs.te	2010-01-20 13:19:16.795611181 +0100
126a81
@@ -1,5 +1,5 @@
126a81
 
126a81
-policy_module(afs, 1.5.0)
126a81
+policy_module(afs, 1.5.1)
126a81
 
126a81
 ########################################
126a81
 #
126a81
@@ -72,7 +72,7 @@
126a81
 #
126a81
 
126a81
 allow afs_t self:capability { sys_admin sys_nice sys_tty_config };
126a81
-allow afs_t self:process setsched;
126a81
+allow afs_t self:process { fork setsched signal };
126a81
 allow afs_t self:udp_socket create_socket_perms;
126a81
 allow afs_t self:fifo_file rw_file_perms;
126a81
 allow afs_t self:unix_stream_socket create_stream_socket_perms;
126a81
@@ -105,6 +105,8 @@
126a81
 
126a81
 miscfiles_read_localization(afs_t)
126a81
 
126a81
+sysnet_dns_name_resolve(afs_t)
126a81
+
126a81
 ########################################
126a81
 #
126a81
 # AFS bossserver local policy
e1add2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc
e1add2
--- nsaserefpolicy/policy/modules/services/apache.fc	2010-01-18 18:24:22.733530530 +0100
e1add2
+++ serefpolicy-3.6.32/policy/modules/services/apache.fc	2010-01-27 17:22:29.733863060 +0100
e1add2
@@ -12,6 +12,7 @@
e1add2
 /etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
e1add2
 /etc/rc\.d/init\.d/lighttpd    	--      gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
e1add2
 /etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
e1add2
+/etc/zabbix/web(/.*)?		gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
e1add2
 
e1add2
 /srv/([^/]*/)?www(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
e1add2
 /srv/gallery2(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
1f5c71
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
8e9aa2
--- nsaserefpolicy/policy/modules/services/apache.if	2010-01-18 18:24:22.736530563 +0100
c17c44
+++ serefpolicy-3.6.32/policy/modules/services/apache.if	2010-01-22 17:15:37.455855038 +0100
1f5c71
@@ -16,6 +16,7 @@
1f5c71
 		attribute httpd_exec_scripts;
1f5c71
 		attribute httpd_script_exec_type;
1f5c71
 		type httpd_t, httpd_suexec_t, httpd_log_t;
738cda
+		type httpd_sys_content_t;
1f5c71
 	')
1f5c71
 	#This type is for webpages
1f5c71
 	type httpd_$1_content_t;
1f5c71
@@ -123,6 +124,8 @@
1f5c71
 		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
1f5c71
 		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
1f5c71
 		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
1f5c71
+
1f5c71
+        allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
1f5c71
 	')
1f5c71
 
1f5c71
 	tunable_policy(`httpd_enable_cgi',`
c17c44
@@ -1167,6 +1170,29 @@
c17c44
 	allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
c17c44
 ')
c17c44
 
c17c44
+#######################################
c17c44
+## <summary>
c17c44
+## dontaudit read and write an leaked file descriptors
c17c44
+## </summary>
c17c44
+## <param name="domain">
c17c44
+## <summary>
c17c44
+## The type of the process performing this action.
c17c44
+## </summary>
c17c44
+## </param>
c17c44
+#
c17c44
+interface(`apache_dontaudit_leaks',`
c17c44
+	gen_require(`
c17c44
+		type httpd_t;
c17c44
+	')
c17c44
+
c17c44
+	dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
c17c44
+	dontaudit $1 httpd_t:tcp_socket { read write };
c17c44
+	dontaudit $1 httpd_t:unix_dgram_socket { read write };
c17c44
+	dontaudit $1 httpd_t:unix_stream_socket { read write };
c17c44
+')
c17c44
+
c17c44
+
c17c44
+
c17c44
 ########################################
c17c44
 ## <summary>
c17c44
 ##	Do not audit attempts to read and write Apache
8e9aa2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te
8e9aa2
--- nsaserefpolicy/policy/modules/services/apache.te	2010-01-18 18:24:22.739530246 +0100
e1add2
+++ serefpolicy-3.6.32/policy/modules/services/apache.te	2010-01-26 15:36:27.882713495 +0100
8e9aa2
@@ -309,7 +309,7 @@
8e9aa2
 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
8e9aa2
 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
8e9aa2
 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
8e9aa2
-files_var_filetrans(httpd_t, httpd_cache_t, dir)
8e9aa2
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
8e9aa2
 
8e9aa2
 # Allow the httpd_t to read the web servers config files
8e9aa2
 allow httpd_t httpd_config_t:dir list_dir_perms;
e1add2
@@ -612,6 +612,11 @@
e1add2
 		avahi_dbus_chat(httpd_t)
e1add2
 	')
e1add2
 ')
e1add2
+
e1add2
+optional_policy(`
e1add2
+	gitosis_read_var_lib(httpd_t)
e1add2
+')
e1add2
+
e1add2
 optional_policy(`
e1add2
 	kerberos_keytab_template(httpd, httpd_t)
e1add2
 ')
1f5c71
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te
1f5c71
--- nsaserefpolicy/policy/modules/services/apcupsd.te	2009-09-16 16:01:19.000000000 +0200
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te	2010-01-18 18:27:02.757542944 +0100
1f5c71
@@ -31,7 +31,7 @@
1f5c71
 #
1f5c71
 
1f5c71
 allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
1f5c71
-allow apcupsd_t self:process signal;
1f5c71
+allow apcupsd_t self:process { signal signull };
1f5c71
 allow apcupsd_t self:fifo_file rw_file_perms;
1f5c71
 allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
1f5c71
 allow apcupsd_t self:tcp_socket create_stream_socket_perms;
e1add2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.6.32/policy/modules/services/arpwatch.te
e1add2
--- nsaserefpolicy/policy/modules/services/arpwatch.te	2010-01-18 18:24:22.741530430 +0100
e1add2
+++ serefpolicy-3.6.32/policy/modules/services/arpwatch.te	2010-01-27 17:37:31.626864275 +0100
e1add2
@@ -64,6 +64,7 @@
e1add2
 corenet_udp_sendrecv_all_ports(arpwatch_t)
e1add2
 
e1add2
 dev_read_sysfs(arpwatch_t)
e1add2
+dev_read_usbmon_dev(arpwatch_t)
e1add2
 
e1add2
 fs_getattr_all_fs(arpwatch_t)
e1add2
 fs_search_auto_mountpoints(arpwatch_t)
8e9aa2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.6.32/policy/modules/services/avahi.fc
8e9aa2
--- nsaserefpolicy/policy/modules/services/avahi.fc	2009-09-16 16:01:19.000000000 +0200
3368b2
+++ serefpolicy-3.6.32/policy/modules/services/avahi.fc	2010-01-19 21:19:40.967763409 +0100
8e9aa2
@@ -6,4 +6,4 @@
8e9aa2
 
8e9aa2
 /var/run/avahi-daemon(/.*)? 		gen_context(system_u:object_r:avahi_var_run_t,s0)
8e9aa2
 
8e9aa2
-/usr/lib/avahi-autoipd(/.*)		gen_context(system_u:object_r:avahi_var_lib_t,s0)
3368b2
+/var/lib/avahi-autoipd(/.*)?  	gen_context(system_u:object_r:avahi_var_lib_t,s0)    
e0dd17
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
8e9aa2
--- nsaserefpolicy/policy/modules/services/cups.te	2010-01-18 18:24:22.771540183 +0100
d4151f
+++ serefpolicy-3.6.32/policy/modules/services/cups.te	2010-01-25 17:36:13.178435741 +0100
d4151f
@@ -265,6 +265,7 @@
d4151f
 # invoking ghostscript needs to read fonts
d4151f
 miscfiles_read_fonts(cupsd_t)
d4151f
 miscfiles_setattr_fonts_dirs(cupsd_t)
d4151f
+miscfiles_setattr_fonts_cache_dirs(cupsd_t)
d4151f
 
d4151f
 seutil_read_config(cupsd_t)
d4151f
 sysnet_exec_ifconfig(cupsd_t)
d4151f
@@ -555,6 +556,7 @@
e0dd17
 logging_send_syslog_msg(cupsd_lpd_t)
e0dd17
 
e0dd17
 miscfiles_read_localization(cupsd_lpd_t)
e0dd17
+miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
e0dd17
 
e0dd17
 cups_stream_connect(cupsd_lpd_t)
e0dd17
 
e0dd17
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
8e9aa2
--- nsaserefpolicy/policy/modules/services/dovecot.te	2010-01-18 18:24:22.782530547 +0100
e1add2
+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te	2010-01-27 16:52:32.499864534 +0100
e1add2
@@ -82,6 +82,7 @@
e1add2
 manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
e1add2
 
e1add2
 manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
e1add2
+manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
e1add2
 manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
e1add2
 files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
e1add2
 
e1add2
@@ -277,6 +278,8 @@
e0dd17
 ')
e0dd17
 
e0dd17
 tunable_policy(`use_nfs_home_dirs',`
738cda
+	fs_manage_nfs_dirs(dovecot_deliver_t)
738cda
+	fs_manage_nfs_dirs(dovecot_t)
e0dd17
 	fs_manage_nfs_files(dovecot_deliver_t)
e0dd17
 	fs_manage_nfs_symlinks(dovecot_deliver_t)
e0dd17
 	fs_manage_nfs_files(dovecot_t)
e1add2
@@ -284,6 +287,8 @@
e0dd17
 ')
e0dd17
 
e0dd17
 tunable_policy(`use_samba_home_dirs',`
738cda
+	fs_manage_cifs_dirs(dovecot_deliver_t)
738cda
+	fs_manage_cifs_dirs(dovecot_t)
e0dd17
 	fs_manage_cifs_files(dovecot_deliver_t)
e0dd17
 	fs_manage_cifs_symlinks(dovecot_deliver_t)
e0dd17
 	fs_manage_cifs_files(dovecot_t)
e0dd17
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.32/policy/modules/services/fail2ban.if
8e9aa2
--- nsaserefpolicy/policy/modules/services/fail2ban.if	2010-01-18 18:24:22.784531151 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/services/fail2ban.if	2010-01-18 18:27:02.761531161 +0100
e0dd17
@@ -138,6 +138,24 @@
e0dd17
 	dontaudit $1 fail2ban_t:unix_stream_socket { read write };
e0dd17
 ')
e0dd17
 
e0dd17
+#######################################
e0dd17
+## <summary>
e0dd17
+## Read and write to an fail2ban unix stream socket.
e0dd17
+## </summary>
e0dd17
+## <param name="domain">
e0dd17
+## <summary>
e0dd17
+## Domain allowed access.
e0dd17
+## </summary>
e0dd17
+## </param>
e0dd17
+#
e0dd17
+interface(`fail2ban_rw_stream_sockets',`
e0dd17
+    gen_require(`
e0dd17
+        type fail2ban_t;
e0dd17
+    ')
e0dd17
+
e0dd17
+    allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl };
e0dd17
+')
e0dd17
+     
e0dd17
 ########################################
e0dd17
 ## <summary>
e0dd17
 ##	All of the rules required to administrate 
d5b741
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.6.32/policy/modules/services/ftp.if
d5b741
--- nsaserefpolicy/policy/modules/services/ftp.if	2009-09-16 16:01:19.000000000 +0200
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/services/ftp.if	2010-01-18 18:27:02.762530869 +0100
d5b741
@@ -115,6 +115,43 @@
d5b741
 	role $2 types ftpdctl_t;
d5b741
 ')
d5b741
 
d5b741
+######################################
d5b741
+## <summary>
d5b741
+##  Allow domain dyntransition to sftpd-anon domain.
d5b741
+## </summary>
d5b741
+## <param name="domain">
d5b741
+##  <summary>
d5b741
+##  Domain allowed access.
d5b741
+##  </summary>
d5b741
+## </param>
d5b741
+#
d5b741
+interface(`ftp_dyntransition_sftpd_anon',`
d5b741
+    gen_require(`
d5b741
+        type anon_sftpd_t;
d5b741
+    ')
d5b741
+
d5b741
+    allow $1 anon_sftpd_t:process dyntransition;
d5b741
+')
d5b741
+
d5b741
+######################################
d5b741
+## <summary>
d5b741
+##  Allow domain dyntransition to sftpd domain.
d5b741
+## </summary>
d5b741
+## <param name="domain">
d5b741
+##  <summary>
d5b741
+##  Domain allowed access.
d5b741
+##  </summary>
d5b741
+## </param>
d5b741
+#
d5b741
+interface(`ftp_dyntransition_sftpd',`
d5b741
+    gen_require(`
d5b741
+        type sftpd_t;
d5b741
+    ')
d5b741
+
d5b741
+    allow $1 sftpd_t:process dyntransition;
d5b741
+	allow sftpd_t $1:process sigchld;
d5b741
+')
d5b741
+
d5b741
 ########################################
d5b741
 ## <summary>
d5b741
 ##	All of the rules required to administrate 
d5b741
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te
8e9aa2
--- nsaserefpolicy/policy/modules/services/ftp.te	2010-01-18 18:24:22.787539983 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/services/ftp.te	2010-01-18 18:27:02.763531066 +0100
d5b741
@@ -53,6 +53,39 @@
d5b741
 ## </desc>
d5b741
 gen_tunable(ftp_home_dir, false)
d5b741
 
d5b741
+## <desc>
d5b741
+## 

d5b741
+## Allow anon internal-sftp to upload files, used for 
d5b741
+## public file transfer services. Directories must be labeled
d5b741
+## public_content_rw_t.
d5b741
+## 

d5b741
+## </desc>
d5b741
+gen_tunable(sftpd_anon_write, false)
d5b741
+
d5b741
+## <desc>
d5b741
+## 

d5b741
+## Allow sftp-internal to login to local users and 
d5b741
+## read/write all files on the system, governed by DAC.
d5b741
+## 

d5b741
+## </desc>
d5b741
+gen_tunable(sftpd_full_access, false)
d5b741
+
d5b741
+## <desc>
d5b741
+## 

d5b741
+## Allow interlnal-sftp to read and write files 
d5b741
+## in the user ssh home directories.
d5b741
+## 

d5b741
+## </desc>
d5b741
+gen_tunable(sftpd_write_ssh_home, false)
d5b741
+
d5b741
+## <desc>
d5b741
+## 

d5b741
+## Allow sftp-internal to read and write files 
d5b741
+## in the user home directories
d5b741
+## 

d5b741
+## </desc>
d5b741
+gen_tunable(sftp_enable_homedirs, false)
d5b741
+
d5b741
 type ftpd_t;
d5b741
 type ftpd_exec_t;
d5b741
 init_daemon_domain(ftpd_t, ftpd_exec_t)
d5b741
@@ -93,6 +126,14 @@
d5b741
 	init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
d5b741
 ')
d5b741
 
d5b741
+type sftpd_t;
d5b741
+domain_type(sftpd_t)
d5b741
+role system_r types sftpd_t;
d5b741
+
d5b741
+type sftpd_anon_t;
d5b741
+domain_type(sftpd_anon_t)
d5b741
+role system_r types sftpd_anon_t;
d5b741
+
d5b741
 ########################################
d5b741
 #
d5b741
 # ftpd local policy
d5b741
@@ -342,3 +383,76 @@
d5b741
 files_read_etc_files(ftpdctl_t)
d5b741
 
d5b741
 userdom_use_user_terminals(ftpdctl_t)
d5b741
+
d5b741
+#######################################
d5b741
+#
d5b741
+# sftpd-anon local policy
d5b741
+#
d5b741
+
d5b741
+files_read_etc_files(sftpd_anon_t)
d5b741
+
d5b741
+miscfiles_read_public_files(sftpd_anon_t)
d5b741
+
d5b741
+tunable_policy(`sftpd_anon_write',`
d5b741
+	miscfiles_manage_public_files(sftpd_anon_t)
d5b741
+')
d5b741
+
d5b741
+#######################################
d5b741
+#
d5b741
+# sftpd local policy
d5b741
+#
d5b741
+
d5b741
+files_read_etc_files(sftpd_t)
d5b741
+
d5b741
+# allow read access to /home by default
d5b741
+userdom_read_user_home_content_files(sftpd_t)
d5b741
+userdom_read_user_home_content_symlinks(sftpd_t)
d5b741
+userdom_dontaudit_list_admin_dir(sftpd_t)
d5b741
+
d5b741
+tunable_policy(`sftpd_full_access',`
d5b741
+    allow sftpd_t self:capability { dac_override dac_read_search };
d5b741
+    fs_read_noxattr_fs_files(sftpd_t)
d5b741
+    auth_manage_all_files_except_shadow(sftpd_t)
d5b741
+')
d5b741
+
d5b741
+tunable_policy(`sftpd_write_ssh_home',`
d5b741
+    ssh_manage_user_home_files(sftpd_t)
d5b741
+')
d5b741
+
d5b741
+tunable_policy(`sftp_enable_homedirs',`
d5b741
+    allow sftpd_t self:capability { dac_override dac_read_search };
d5b741
+
d5b741
+	# allow access to /home
d5b741
+	files_list_home(sftpd_t)
d5b741
+    userdom_read_user_home_content_files(sftpd_t)
d5b741
+    userdom_manage_user_home_content(sftpd_t)
d5b741
+
d5b741
+    auth_read_all_dirs_except_shadow(sftpd_t)
d5b741
+    auth_read_all_files_except_shadow(sftpd_t)
d5b741
+    auth_read_all_symlinks_except_shadow(sftpd_t)
d5b741
+', `
d5b741
+   # Needed for permissive mode, to make sure everything gets labeled correctly
d5b741
+   userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
d5b741
+')
d5b741
+
d5b741
+tunable_policy(`sftp_enable_homedirs && use_nfs_home_dirs',`
d5b741
+	fs_manage_nfs_dirs(sftpd_t)
d5b741
+    fs_manage_nfs_files(sftpd_t)
d5b741
+	fs_manage_nfs_symlinks(sftpd_t)
d5b741
+')
d5b741
+
d5b741
+tunable_policy(`sftp_enable_homedirs && use_samba_home_dirs',`
d5b741
+	fs_manage_cifs_dirs(sftpd_t)
d5b741
+	fs_manage_cifs_files(sftpd_t)
d5b741
+	fs_manage_cifs_symlinks(sftpd_t)
d5b741
+')
d5b741
+
d5b741
+tunable_policy(`use_samba_home_dirs',`
d5b741
+    fs_read_cifs_files(sftpd_t)
d5b741
+    fs_read_cifs_symlinks(sftpd_t)
d5b741
+')
d5b741
+
d5b741
+tunable_policy(`use_nfs_home_dirs',`
d5b741
+    fs_read_nfs_files(sftpd_t)
d5b741
+    fs_read_nfs_symlinks(ftpd_t)
d5b741
+')   
8067f5
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.6.32/policy/modules/services/git.fc
8067f5
--- nsaserefpolicy/policy/modules/services/git.fc	2010-01-18 18:24:22.788540040 +0100
c17c44
+++ serefpolicy-3.6.32/policy/modules/services/git.fc	2010-01-22 12:32:18.191604638 +0100
c17c44
@@ -1,6 +1,9 @@
8067f5
 /var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
8067f5
 /var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
8067f5
 
c17c44
+/var/www/git(/.*)?			gen_context(system_u:object_r:httpd_git_content_t,s0)
c17c44
+/var/www/git/gitweb\.cgi --	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)   
c17c44
+
8067f5
 /srv/git(/.*)?					gen_context(system_u:object_r:git_data_t, s0)
8067f5
 
c17c44
 /usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t, s0)
c17c44
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.6.32/policy/modules/services/git.if
c17c44
--- nsaserefpolicy/policy/modules/services/git.if	2010-01-18 18:24:22.789540167 +0100
c17c44
+++ serefpolicy-3.6.32/policy/modules/services/git.if	2010-01-22 12:30:50.923622237 +0100
c17c44
@@ -104,7 +104,7 @@
c17c44
 	')
c17c44
 
c17c44
 	exec_files_pattern($1, git_data_t, git_data_t)
c17c44
-	files_search_var($1)
c17c44
+	files_search_var_lib($1)
c17c44
 ')
c17c44
 
c17c44
 ########################################
c17c44
@@ -126,7 +126,7 @@
c17c44
 
c17c44
 	manage_dirs_pattern($1, git_data_t, git_data_t)
c17c44
 	manage_files_pattern($1, git_data_t, git_data_t)
c17c44
-	files_search_var($1)
c17c44
+	files_search_var_lib($1)
c17c44
 ')
c17c44
 
c17c44
 ########################################
c17c44
@@ -192,7 +192,7 @@
c17c44
 
c17c44
 	list_dirs_pattern($1, git_data_t, git_data_t)
c17c44
 	read_files_pattern($1, git_data_t, git_data_t)
c17c44
-	files_search_var($1)
c17c44
+	files_search_var_lib($1)
c17c44
 ')
c17c44
 
c17c44
 ########################################
c17c44
@@ -214,7 +214,7 @@
c17c44
 
c17c44
 	relabel_dirs_pattern($1, git_data_t, git_data_t)
c17c44
 	relabel_files_pattern($1, git_data_t, git_data_t)
c17c44
-	files_search_var($1)
c17c44
+	files_search_var_lib($1)
c17c44
 ')
c17c44
 
c17c44
 ########################################
d5b741
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.32/policy/modules/services/git.te
8e9aa2
--- nsaserefpolicy/policy/modules/services/git.te	2010-01-18 18:24:22.790540016 +0100
c17c44
+++ serefpolicy-3.6.32/policy/modules/services/git.te	2010-01-22 12:32:35.787604988 +0100
d5b741
@@ -73,7 +73,7 @@
d5b741
 #
d5b741
 
d5b741
 allow gitd_type self:fifo_file rw_fifo_file_perms;
d5b741
-allow gitd_type self:tcp_socket create_socket_perms;
d5b741
+allow gitd_type self:tcp_socket create_stream_socket_perms;
d5b741
 allow gitd_type self:udp_socket create_socket_perms;
d5b741
 allow gitd_type self:unix_dgram_socket create_socket_perms;
d5b741
 
c17c44
@@ -171,3 +171,6 @@
c17c44
 
c17c44
 apache_content_template(git)
c17c44
 git_read_data_content(httpd_git_script_t)
c17c44
+
c17c44
+files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) 
c17c44
+
3391ad
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.32/policy/modules/services/kerberos.if
3391ad
--- nsaserefpolicy/policy/modules/services/kerberos.if	2010-01-18 18:24:22.799531033 +0100
c17c44
+++ serefpolicy-3.6.32/policy/modules/services/kerberos.if	2010-01-22 17:08:10.300604739 +0100
c17c44
@@ -85,7 +85,7 @@
c17c44
 	seutil_dontaudit_read_file_contexts($1)
3391ad
 
3391ad
 	optional_policy(`
c17c44
-		sssd_read_config_files($1)
3391ad
+		sssd_read_public_files($1)
3391ad
 	')
3391ad
 
3391ad
 	tunable_policy(`allow_kerberos',`
e1add2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.6.32/policy/modules/services/ldap.fc
e1add2
--- nsaserefpolicy/policy/modules/services/ldap.fc	2009-09-16 16:01:19.000000000 +0200
e1add2
+++ serefpolicy-3.6.32/policy/modules/services/ldap.fc	2010-01-26 14:30:08.546712216 +0100
e1add2
@@ -2,6 +2,8 @@
e1add2
 /etc/ldap/slapd\.conf	--	gen_context(system_u:object_r:slapd_etc_t,s0)
e1add2
 /etc/rc\.d/init\.d/ldap	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
e1add2
 
e1add2
+/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
e1add2
+
e1add2
 /usr/sbin/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
e1add2
 
e1add2
 ifdef(`distro_debian',`
c17c44
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.32/policy/modules/services/mailman.te
c17c44
--- nsaserefpolicy/policy/modules/services/mailman.te	2010-01-18 18:24:22.808530642 +0100
c17c44
+++ serefpolicy-3.6.32/policy/modules/services/mailman.te	2010-01-22 17:16:41.576604913 +0100
c17c44
@@ -55,6 +55,7 @@
c17c44
 	apache_search_sys_script_state(mailman_cgi_t)
c17c44
 	apache_read_config(mailman_cgi_t)
c17c44
 	apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
c17c44
+	apache_dontaudit_leaks(mailman_cgi_t)
c17c44
 ')
c17c44
 
c17c44
 ########################################
8e9aa2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.32/policy/modules/services/memcached.te
8e9aa2
--- nsaserefpolicy/policy/modules/services/memcached.te	2010-01-18 18:24:22.809536705 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/services/memcached.te	2010-01-19 11:45:44.999857263 +0100
8e9aa2
@@ -1,5 +1,5 @@
8e9aa2
 
8e9aa2
-policy_module(memcached, 1.1.0)
8e9aa2
+policy_module(memcached, 1.1.1)
8e9aa2
 
8e9aa2
 ########################################
8e9aa2
 #
8e9aa2
@@ -22,9 +22,12 @@
8e9aa2
 #
8e9aa2
 
8e9aa2
 allow memcached_t self:capability { setuid setgid };
8e9aa2
+dontaudit memcached_t self:capability sys_tty_config;
8e9aa2
+allow memcached_t self:process { fork setrlimit signal_perms };
8e9aa2
 allow memcached_t self:tcp_socket create_stream_socket_perms;
8e9aa2
 allow memcached_t self:udp_socket { create_socket_perms listen };
8e9aa2
 allow memcached_t self:fifo_file rw_fifo_file_perms;
8e9aa2
+allow memcached_t self:unix_stream_socket create_stream_socket_perms;
8e9aa2
 
8e9aa2
 corenet_all_recvfrom_unlabeled(memcached_t)
8e9aa2
 corenet_udp_sendrecv_generic_if(memcached_t)
8e9aa2
@@ -42,12 +45,15 @@
8e9aa2
 manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
8e9aa2
 files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir })
8e9aa2
 
8e9aa2
-files_read_etc_files(memcached_t)
8e9aa2
-
8e9aa2
+kernel_read_kernel_sysctls(memcached_t)
8e9aa2
 kernel_read_system_state(memcached_t)
8e9aa2
 
8e9aa2
+files_read_etc_files(memcached_t)
8e9aa2
+
8e9aa2
 auth_use_nsswitch(memcached_t)
8e9aa2
 
8e9aa2
 miscfiles_read_localization(memcached_t)
8e9aa2
 
8e9aa2
-sysnet_dns_name_resolve(memcached_t)
8e9aa2
+term_dontaudit_use_all_user_ptys(memcached_t)
8e9aa2
+term_dontaudit_use_all_user_ttys(memcached_t)
8e9aa2
+term_dontaudit_use_console(memcached_t)
e1add2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te
e1add2
--- nsaserefpolicy/policy/modules/services/mysql.te	2010-01-18 18:24:22.819530575 +0100
e1add2
+++ serefpolicy-3.6.32/policy/modules/services/mysql.te	2010-01-26 14:38:16.349463228 +0100
e1add2
@@ -147,6 +147,8 @@
e1add2
 dontaudit mysqld_safe_t self:capability sys_ptrace;
e1add2
 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
e1add2
 
e1add2
+allow mysqld_safe_t mysqld_t:process signal_perms;
e1add2
+
e1add2
 domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
e1add2
 
e1add2
 manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
e0dd17
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
8e9aa2
--- nsaserefpolicy/policy/modules/services/nagios.fc	2010-01-18 18:24:22.821530899 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc	2010-01-18 18:27:02.765531460 +0100
8ad564
@@ -27,26 +27,62 @@
e0dd17
 
e0dd17
 # check disk plugins
e0dd17
 /usr/lib(64)?/nagios/plugins/check_disk  	--  	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_disk_smb		--		gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
e0dd17
 /usr/lib(64)?/nagios/plugins/check_ide_smart 	--  	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_linux_raid	--		gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
e0dd17
 
e0dd17
 # system plugins
e0dd17
-/usr/lib(64)?/nagios/plugins/check_users	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_breeze		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_dummy		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
e0dd17
 /usr/lib(64)?/nagios/plugins/check_file_age  	--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_flexlm		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_ifoperstatus	--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_ifstatus		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_load			--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
e0dd17
 /usr/lib(64)?/nagios/plugins/check_log		--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_mailq		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_mrtg			--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
e0dd17
 /usr/lib(64)?/nagios/plugins/check_nagios    	--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_nwstat		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_overcr		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
e0dd17
 /usr/lib(64)?/nagios/plugins/check_procs  	--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
e0dd17
 /usr/lib(64)?/nagios/plugins/check_sensors	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_swap			--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_users		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_wave			--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
e0dd17
 
e0dd17
 # services plugins
e0dd17
 /usr/lib(64)?/nagios/plugins/check_cluster   	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
e0dd17
 /usr/lib(64)?/nagios/plugins/check_dhcp		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_dig			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
e0dd17
 /usr/lib(64)?/nagios/plugins/check_dns		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_game			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_fping		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_hpjd			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
e0dd17
 /usr/lib(64)?/nagios/plugins/check_http      	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_icmp			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_ircd			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_ldap			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
e0dd17
 /usr/lib(64)?/nagios/plugins/check_mysql     	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_mysql_query 	--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_nrpe			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_nt			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
e0dd17
 /usr/lib(64)?/nagios/plugins/check_ntp.*     	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_oracle		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_pgsql		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
e0dd17
 /usr/lib(64)?/nagios/plugins/check_ping      	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_radius		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
e0dd17
 /usr/lib(64)?/nagios/plugins/check_real		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
e0dd17
 /usr/lib(64)?/nagios/plugins/check_rpc       	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
e0dd17
-/usr/lib(64)?/nagios/plugins/check_ssh       	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
e0dd17
 /usr/lib(64)?/nagios/plugins/check_tcp		--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
e0dd17
 /usr/lib(64)?/nagios/plugins/check_time		--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_sip			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_smtp			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_snmp.*		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_ssh			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
738cda
+/usr/lib(64)?/nagios/plugins/check_ups			--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
e0dd17
+
8ad564
+# unconfined plugins
8ad564
+/usr/lib(64)?/nagios/plugins/check_by_ssh		--		gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
8ad564
+
e0dd17
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
8e9aa2
--- nsaserefpolicy/policy/modules/services/nagios.te	2010-01-18 18:24:22.823530245 +0100
c17c44
+++ serefpolicy-3.6.32/policy/modules/services/nagios.te	2010-01-22 16:03:19.932604694 +0100
8ad564
@@ -118,6 +118,9 @@
e0dd17
 corenet_udp_sendrecv_all_ports(nagios_t)
e0dd17
 corenet_tcp_connect_all_ports(nagios_t)
e0dd17
 
738cda
+corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t)
738cda
+corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t)    
e0dd17
+
e0dd17
 dev_read_sysfs(nagios_t)
e0dd17
 dev_read_urand(nagios_t)
e0dd17
 
c17c44
@@ -315,6 +318,10 @@
c17c44
 	mysql_stream_connect(nagios_services_plugin_t)
c17c44
 ')
c17c44
 
c17c44
+optional_policy(`
c17c44
+    snmp_read_snmp_var_lib_files(nagios_services_plugin_t)
c17c44
+')
c17c44
+
c17c44
 ######################################
c17c44
 #
c17c44
 # local policy for system check plugins 
e1add2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if
e1add2
--- nsaserefpolicy/policy/modules/services/nx.if	2010-01-18 18:24:22.840530591 +0100
e1add2
+++ serefpolicy-3.6.32/policy/modules/services/nx.if	2010-01-26 14:43:43.595472728 +0100
e1add2
@@ -18,6 +18,24 @@
e1add2
 	spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
e1add2
 ')
e1add2
 
e1add2
+#######################################
e1add2
+## <summary>
e1add2
+## Execute the NX server.
e1add2
+## </summary>
e1add2
+## <param name="domain">
e1add2
+## 	<summary>
e1add2
+## 	Domain allowed access.
e1add2
+## 	</summary>
e1add2
+## </param>
e1add2
+#
e1add2
+interface(`nx_exec_server',`
e1add2
+	gen_require(`
e1add2
+		type nx_server_exec_t;
e1add2
+    ')
e1add2
+	
e1add2
+	can_exec($1, nx_server_exec_t)
e1add2
+')
e1add2
+ 
e1add2
 ########################################
e1add2
 ## <summary>
e1add2
 ##	Read nx home directory content
1fed36
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te
8e9aa2
--- nsaserefpolicy/policy/modules/services/openvpn.te	2010-01-18 18:24:22.843530414 +0100
e1add2
+++ serefpolicy-3.6.32/policy/modules/services/openvpn.te	2010-01-26 14:19:37.820463477 +0100
1fed36
@@ -85,6 +85,7 @@
1fed36
 corenet_udp_bind_generic_node(openvpn_t)
1fed36
 corenet_tcp_bind_openvpn_port(openvpn_t)
1fed36
 corenet_udp_bind_openvpn_port(openvpn_t)
1fed36
+corenet_tcp_bind_http_port(openvpn_t)
1fed36
 corenet_tcp_connect_openvpn_port(openvpn_t)
1fed36
 corenet_tcp_connect_http_port(openvpn_t)
1fed36
 corenet_tcp_connect_http_cache_port(openvpn_t)
e1add2
@@ -102,6 +103,9 @@
e1add2
 
e1add2
 auth_use_pam(openvpn_t)
e1add2
 
e1add2
+init_read_utmp(openvpn_t)
e1add2
+init_dontaudit_write_utmp(openvpn_t)  
e1add2
+
e1add2
 logging_send_syslog_msg(openvpn_t)
e1add2
 
e1add2
 miscfiles_read_localization(openvpn_t)
c17c44
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te
c17c44
--- nsaserefpolicy/policy/modules/services/plymouth.te	2010-01-18 18:24:22.847540282 +0100
e1add2
+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te	2010-01-27 16:41:36.145614526 +0100
c17c44
@@ -41,6 +41,19 @@
c17c44
 allow plymouthd_t self:fifo_file rw_fifo_file_perms;
c17c44
 allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
c17c44
 
c17c44
+manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t,  plymouthd_var_run_t)
c17c44
+manage_files_pattern(plymouthd_t, plymouthd_var_run_t,  plymouthd_var_run_t)
c17c44
+files_pid_filetrans(plymouthd_t,plymouthd_var_run_t, { file dir })
c17c44
+
c17c44
+manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t,  plymouthd_var_lib_t)
c17c44
+manage_files_pattern(plymouthd_t, plymouthd_var_lib_t,  plymouthd_var_lib_t)
c17c44
+files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
c17c44
+
c17c44
+manage_dirs_pattern(plymouthd_t, plymouthd_spool_t,  plymouthd_spool_t)
c17c44
+manage_files_pattern(plymouthd_t, plymouthd_spool_t,  plymouthd_spool_t)
c17c44
+manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t,  plymouthd_spool_t)
c17c44
+files_spool_filetrans(plymouthd_t,plymouthd_spool_t, { file dir sock_file })
c17c44
+
c17c44
 kernel_read_system_state(plymouthd_t)
c17c44
 kernel_request_load_module(plymouthd_t)
c17c44
 kernel_change_ring_buffer_level(plymouthd_t)
c17c44
@@ -58,18 +71,6 @@
c17c44
 miscfiles_read_localization(plymouthd_t)
c17c44
 miscfiles_read_fonts(plymouthd_t)
c17c44
 
c17c44
-manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t,  plymouthd_var_run_t)
c17c44
-manage_files_pattern(plymouthd_t, plymouthd_var_run_t,  plymouthd_var_run_t)
c17c44
-files_pid_filetrans(plymouthd_t,plymouthd_var_run_t, { file dir })
c17c44
-
c17c44
-manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t,  plymouthd_var_lib_t)
c17c44
-manage_files_pattern(plymouthd_t, plymouthd_var_lib_t,  plymouthd_var_lib_t)
c17c44
-files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
c17c44
-
c17c44
-manage_dirs_pattern(plymouthd_t, plymouthd_spool_t,  plymouthd_spool_t)
c17c44
-manage_files_pattern(plymouthd_t, plymouthd_spool_t,  plymouthd_spool_t)
c17c44
-manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t,  plymouthd_spool_t)
c17c44
-files_spool_filetrans(plymouthd_t,plymouthd_spool_t, { file dir sock_file })
c17c44
 
c17c44
 ########################################
c17c44
 #
e1add2
@@ -80,8 +81,11 @@
e1add2
 allow plymouth_t self:fifo_file rw_file_perms;
e1add2
 allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
c17c44
 
e1add2
+kernel_read_system_state(plymouth_t)
c17c44
 kernel_stream_connect(plymouth_t)
c17c44
 
c17c44
+term_use_ptmx(plymouth_t)   
c17c44
+
c17c44
 domain_use_interactive_fds(plymouth_t)
c17c44
 
c17c44
 files_read_etc_files(plymouth_t)
1f5c71
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
8e9aa2
--- nsaserefpolicy/policy/modules/services/postfix.te	2010-01-18 18:24:22.855540671 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/services/postfix.te	2010-01-18 18:27:02.768530934 +0100
1f5c71
@@ -443,6 +443,7 @@
1f5c71
 
1f5c71
 optional_policy(`
1f5c71
 	spamassassin_domtrans_client(postfix_pipe_t)
1f5c71
+    spamassassin_kill_client(postfix_pipe_t)
1f5c71
 ')
1f5c71
 
1f5c71
 optional_policy(`
e0dd17
@@ -486,7 +487,7 @@
e0dd17
 ')
e0dd17
 
e0dd17
 optional_policy(`
e0dd17
-	sendmail_dontaudit_rw_unix_stream_sockets(postfix_postdrop_t)
e0dd17
+	sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
e0dd17
 ')
e0dd17
 
e0dd17
 optional_policy(`
1f5c71
@@ -573,6 +574,8 @@
1f5c71
 # Postfix smtp delivery local policy
1f5c71
 #
1f5c71
 
1f5c71
+allow postfix_smtp_t self:capability { sys_chroot };
1f5c71
+
1f5c71
 # connect to master process
1f5c71
 stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
1f5c71
 
e1add2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.32/policy/modules/services/prelude.te
e1add2
--- nsaserefpolicy/policy/modules/services/prelude.te	2010-01-18 18:24:22.861530469 +0100
e1add2
+++ serefpolicy-3.6.32/policy/modules/services/prelude.te	2010-01-26 15:37:38.488473779 +0100
e1add2
@@ -250,6 +250,8 @@
e1add2
 files_read_etc_files(prelude_lml_t)
e1add2
 files_read_etc_runtime_files(prelude_lml_t)
e1add2
 
e1add2
+fs_getattr_all_fs(prelude_lml_t)
e1add2
+fs_list_inotifyfs(prelude_lml_t)
e1add2
 fs_rw_anon_inodefs_files(prelude_lml_t)
e1add2
 
e1add2
 auth_use_nsswitch(prelude_lml_t)
1f5c71
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
8e9aa2
--- nsaserefpolicy/policy/modules/services/samba.te	2010-01-18 18:24:22.886540773 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/services/samba.te	2010-01-18 18:27:02.770531119 +0100
1f5c71
@@ -286,6 +286,8 @@
1f5c71
 
1f5c71
 allow smbd_t winbind_t:process { signal signull };
1f5c71
 
1f5c71
+allow smbd_t swat_t:process signal;  
1f5c71
+
1f5c71
 kernel_getattr_core_if(smbd_t)
1f5c71
 kernel_getattr_message_if(smbd_t)
1f5c71
 kernel_read_network_state(smbd_t)
1f5c71
@@ -485,6 +487,8 @@
1f5c71
 
1f5c71
 manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
1f5c71
 
1f5c71
+allow nmbd_t swat_t:process signal;
1f5c71
+
1f5c71
 allow nmbd_t smbcontrol_t:process signal;
1f5c71
 
1f5c71
 allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
1f5c71
@@ -661,6 +665,7 @@
1f5c71
 allow swat_t self:udp_socket create_socket_perms;
1f5c71
 allow swat_t self:unix_stream_socket connectto;
1f5c71
 
1f5c71
+samba_domtrans_nmbd(swat_t)
1f5c71
 allow swat_t nmbd_t:process { signal signull };
1f5c71
 
1f5c71
 allow swat_t nmbd_exec_t:file mmap_file_perms;
e0dd17
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te
8e9aa2
--- nsaserefpolicy/policy/modules/services/sendmail.te	2010-01-18 18:24:22.889530888 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/services/sendmail.te	2010-01-18 18:27:02.771531176 +0100
e0dd17
@@ -136,6 +136,8 @@
e0dd17
 
e0dd17
 optional_policy(`
e0dd17
 	fail2ban_read_lib_files(sendmail_t)
e0dd17
+    fail2ban_rw_stream_sockets(sendmail_t)
e0dd17
+
e0dd17
 ')
e0dd17
 
e0dd17
 optional_policy(`
1f5c71
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te
8e9aa2
--- nsaserefpolicy/policy/modules/services/snmp.te	2010-01-18 18:24:22.892539860 +0100
3391ad
+++ serefpolicy-3.6.32/policy/modules/services/snmp.te	2010-01-19 14:20:15.303858953 +0100
3391ad
@@ -25,9 +25,9 @@
1f5c71
 #
3391ad
 # Local policy
3391ad
 #
3391ad
-allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
3391ad
+allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
1f5c71
 dontaudit snmpd_t self:capability { sys_module sys_tty_config };
1f5c71
-allow snmpd_t self:process { signal_perms getsched setsched };
1f5c71
+allow snmpd_t self:process { signal signal_perms getsched setsched };
1f5c71
 allow snmpd_t self:fifo_file rw_fifo_file_perms;
1f5c71
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
1f5c71
 allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
e1add2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.32/policy/modules/services/snort.te
e1add2
--- nsaserefpolicy/policy/modules/services/snort.te	2010-01-18 18:24:22.893530558 +0100
e1add2
+++ serefpolicy-3.6.32/policy/modules/services/snort.te	2010-01-27 17:37:08.744613818 +0100
e1add2
@@ -78,6 +78,7 @@
e1add2
 dev_read_sysfs(snort_t)
e1add2
 dev_read_rand(snort_t)
e1add2
 dev_read_urand(snort_t)
e1add2
+dev_read_usbmon_dev(snort_t)
e1add2
 
e1add2
 domain_use_interactive_fds(snort_t)
e1add2
 
1f5c71
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.32/policy/modules/services/spamassassin.if
8e9aa2
--- nsaserefpolicy/policy/modules/services/spamassassin.if	2010-01-18 18:24:22.895529974 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if	2010-01-18 18:27:02.773531151 +0100
1f5c71
@@ -267,6 +267,24 @@
1f5c71
 	stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
1f5c71
 ')
1f5c71
 
1f5c71
+######################################
1f5c71
+## <summary>
1f5c71
+##  Send kill signal to spamassassin client
1f5c71
+## </summary>
1f5c71
+## <param name="domain">
1f5c71
+##  <summary>
1f5c71
+##  Domain allowed access.
1f5c71
+##  </summary>
1f5c71
+## </param>
1f5c71
+#
1f5c71
+interface(`spamassassin_kill_client',`
1f5c71
+    gen_require(`
1f5c71
+        type spamc_t;
1f5c71
+    ')
1f5c71
+
1f5c71
+    allow $1 spamc_t:process sigkill;
1f5c71
+')
1f5c71
+
1f5c71
 ########################################
1f5c71
 ## <summary>
1f5c71
 ##	All of the rules required to administrate 
b32d59
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
8e9aa2
--- nsaserefpolicy/policy/modules/services/ssh.te	2010-01-18 18:24:22.899530064 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/services/ssh.te	2010-01-18 18:27:02.774530790 +0100
d5b741
@@ -8,31 +8,6 @@
d5b741
 
d5b741
 ## <desc>
d5b741
 ## 

d5b741
-## Allow sftp to upload files, used for public file
d5b741
-## transfer services. Directories must be labeled
d5b741
-## public_content_rw_t.
d5b741
-## 

d5b741
-## </desc>
d5b741
-gen_tunable(allow_sftpd_anon_write, false)
d5b741
-
d5b741
-## <desc>
d5b741
-## 

d5b741
-## Allow sftp to login to local users and 
d5b741
-## read/write all files on the system, governed by DAC.
d5b741
-## 

d5b741
-## </desc>
d5b741
-gen_tunable(allow_sftpd_full_access, false)
d5b741
-
d5b741
-## <desc>
d5b741
-## 

d5b741
-## Allow interlnal-sftp to read and write files 
d5b741
-## in the user ssh home directories.
d5b741
-## 

d5b741
-## </desc>
d5b741
-gen_tunable(sftpd_ssh_home_dir, false)
d5b741
-
d5b741
-## <desc>
d5b741
-## 

d5b741
 ## allow host key based authentication
d5b741
 ## 

d5b741
 ## </desc>
d5b741
@@ -69,10 +44,6 @@
d5b741
 type sshd_tmpfs_t;
d5b741
 files_tmpfs_file(sshd_tmpfs_t)
d5b741
 
d5b741
-type sftpd_t;
d5b741
-domain_type(sftpd_t)
d5b741
-role system_r types sftpd_t;
d5b741
-
d5b741
 ifdef(`enable_mcs',`
d5b741
 	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
d5b741
 ')
d5b741
@@ -361,6 +332,11 @@
d5b741
 ')
d5b741
 
d5b741
 optional_policy(`
d5b741
+    ftp_dyntransition_sftpd(sshd_t)
d5b741
+    ftp_dyntransition_sftpd_anon(sshd_t)
d5b741
+')
d5b741
+
d5b741
+optional_policy(`
d5b741
 	gitosis_manage_var_lib(sshd_t)
d5b741
 ')
b32d59
 
d5b741
@@ -468,49 +444,3 @@
d5b741
 	udev_read_db(ssh_keygen_t)
d5b741
 ')
b32d59
 
d5b741
-#######################################
d5b741
-#
d5b741
-# sftp Local policy
d5b741
-#
d5b741
-
d5b741
-allow ssh_server sftpd_t:process dyntransition;
d5b741
-
d5b741
-ssh_sigchld(sftpd_t)
d5b741
-
b32d59
-files_read_all_files(sftpd_t)
b32d59
-files_read_all_symlinks(sftpd_t)
d5b741
-
d5b741
-fs_read_noxattr_fs_files(sftpd_t)
d5b741
-fs_read_nfs_files(sftpd_t)
d5b741
-fs_read_cifs_files(sftpd_t)
d5b741
-
d5b741
-# allow access to /home by default
d5b741
-userdom_manage_user_home_content_dirs(sftpd_t)
d5b741
-userdom_manage_user_home_content_files(sftpd_t)
d5b741
-userdom_manage_user_home_content_symlinks(sftpd_t)
d5b741
-
d5b741
-userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
d5b741
-
d5b741
-tunable_policy(`allow_sftpd_anon_write',`
d5b741
-    miscfiles_manage_public_files(sftpd_t)
d5b741
-')
d5b741
-
d5b741
-tunable_policy(`allow_sftpd_full_access',`
d5b741
-    allow sftpd_t self:capability { dac_override dac_read_search };
d5b741
-    fs_read_noxattr_fs_files(sftpd_t)
d5b741
-    auth_manage_all_files_except_shadow(sftpd_t)
d5b741
-')
d5b741
-
d5b741
-tunable_policy(`sftpd_ssh_home_dir',`
d5b741
-    ssh_manage_user_home_files(sftpd_t)
d5b741
-')
d5b741
-
d5b741
-tunable_policy(`use_nfs_home_dirs',`
d5b741
-    fs_manage_nfs_dirs(sftpd_t)
d5b741
-    fs_manage_nfs_files(sftpd_t)
d5b741
-')
d5b741
-
d5b741
-tunable_policy(`use_samba_home_dirs',`
d5b741
-    fs_manage_cifs_dirs(sftpd_t)
d5b741
-    fs_manage_cifs_files(sftpd_t)
d5b741
-')
3391ad
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.32/policy/modules/services/sssd.fc
3391ad
--- nsaserefpolicy/policy/modules/services/sssd.fc	2010-01-18 18:24:22.900529842 +0100
3391ad
+++ serefpolicy-3.6.32/policy/modules/services/sssd.fc	2010-01-19 17:08:41.212631842 +0100
3391ad
@@ -4,6 +4,8 @@
3391ad
 
3391ad
 /var/lib/sss(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
3391ad
 
3391ad
+/var/lib/sss/pubconf(/.*)?	gen_context(system_u:object_r:sssd_public_t,s0)
3391ad
+
3391ad
 /var/log/sssd(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
3391ad
 
3391ad
 /var/run/sssd.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
8ad564
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if
8e9aa2
--- nsaserefpolicy/policy/modules/services/sssd.if	2010-01-18 18:24:22.901529830 +0100
3391ad
+++ serefpolicy-3.6.32/policy/modules/services/sssd.if	2010-01-19 17:08:45.945631552 +0100
3391ad
@@ -12,8 +12,7 @@
3391ad
 #
3391ad
 interface(`sssd_domtrans',`
3391ad
 	gen_require(`
3391ad
-		type sssd_t;
3391ad
-                type sssd_exec_t;
3391ad
+		type sssd_t, sssd_exec_t;
3391ad
 	')
8ad564
 
3391ad
 	domtrans_pattern($1, sssd_exec_t, sssd_t)
3391ad
@@ -26,7 +25,7 @@
3391ad
 ## </summary>
3391ad
 ## <param name="domain">
3391ad
 ##	<summary>
3391ad
-##	The type of the process performing this action.
3391ad
+##	Domain allowed access.
3391ad
 ##	</summary>
3391ad
 ## </param>
3391ad
 #
3391ad
@@ -40,6 +39,25 @@
3391ad
 
3391ad
 ########################################
3391ad
 ## <summary>
3391ad
+##	Read sssd public files.
8ad564
+## </summary>
8ad564
+## <param name="domain">
3391ad
+##	<summary>
3391ad
+##	Domain allowed access.
3391ad
+##	</summary>
8ad564
+## </param>
8ad564
+#
3391ad
+interface(`sssd_read_public_files',`
3391ad
+	gen_require(`
3391ad
+		type sssd_public_t;
3391ad
+	')
8ad564
+
3391ad
+	sssd_search_lib($1)
3391ad
+	read_files_pattern($1, sssd_public_t, sssd_public_t)
8ad564
+')
8ad564
+
3391ad
+########################################
3391ad
+## <summary>
3391ad
 ##	Read sssd PID files.
3391ad
 ## </summary>
3391ad
 ## <param name="domain">
3391ad
@@ -59,7 +77,7 @@
3391ad
 
3391ad
 ########################################
3391ad
 ## <summary>
3391ad
-##	Manage sssd var_run files.
3391ad
+##	Read sssd config files.
3391ad
 ## </summary>
3391ad
 ## <param name="domain">
3391ad
 ##	<summary>
3391ad
@@ -67,18 +85,18 @@
3391ad
 ##	</summary>
3391ad
 ## </param>
3391ad
 #
3391ad
-interface(`sssd_manage_pids',`
3391ad
+interface(`sssd_read_config_files',`
3391ad
 	gen_require(`
3391ad
-		type sssd_var_run_t;
3391ad
+		type sssd_config_t;
3391ad
 	')
3391ad
 
3391ad
-	manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
3391ad
-	manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
3391ad
+	sssd_search_lib($1)
3391ad
+	read_files_pattern($1, sssd_config_t, sssd_config_t)
3391ad
 ')
3391ad
 
3391ad
 ########################################
3391ad
 ## <summary>
3391ad
-##	Search sssd lib directories.
3391ad
+##	Manage sssd var_run files.
3391ad
 ## </summary>
3391ad
 ## <param name="domain">
3391ad
 ##	<summary>
3391ad
@@ -86,18 +104,18 @@
3391ad
 ##	</summary>
3391ad
 ## </param>
3391ad
 #
3391ad
-interface(`sssd_search_lib',`
3391ad
+interface(`sssd_manage_pids',`
3391ad
 	gen_require(`
3391ad
-		type sssd_var_lib_t;
3391ad
+		type sssd_var_run_t;
3391ad
 	')
3391ad
 
3391ad
-	allow $1 sssd_var_lib_t:dir search_dir_perms;
3391ad
-	files_search_var_lib($1)
3391ad
+	manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
3391ad
+	manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
3391ad
 ')
3391ad
 
3391ad
 ########################################
3391ad
 ## <summary>
3391ad
-##	Read sssd lib files.
3391ad
+##	Search sssd lib directories.
3391ad
 ## </summary>
3391ad
 ## <param name="domain">
3391ad
 ##	<summary>
3391ad
@@ -105,18 +123,18 @@
3391ad
 ##	</summary>
3391ad
 ## </param>
3391ad
 #
3391ad
-interface(`sssd_read_lib_files',`
3391ad
+interface(`sssd_search_lib',`
3391ad
 	gen_require(`
3391ad
 		type sssd_var_lib_t;
3391ad
 	')
3391ad
 
3391ad
+	allow $1 sssd_var_lib_t:dir search_dir_perms;
3391ad
 	files_search_var_lib($1)
3391ad
-	read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
3391ad
 ')
3391ad
 
8ad564
 ########################################
8ad564
 ## <summary>
3391ad
-##	Read sssd config files.
3391ad
+##	dontaudit search sssd lib directories.
3391ad
 ## </summary>
3391ad
 ## <param name="domain">
3391ad
 ##	<summary>
3391ad
@@ -124,19 +142,18 @@
3391ad
 ##	</summary>
3391ad
 ## </param>
3391ad
 #
3391ad
-interface(`sssd_read_config_files',`
3391ad
+interface(`sssd_dontaudit_search_lib',`
3391ad
 	gen_require(`
3391ad
-		type sssd_config_t;
3391ad
+		type sssd_var_lib_t;
3391ad
 	')
3391ad
 
3391ad
-	sssd_search_lib($1)
3391ad
-	read_files_pattern($1, sssd_config_t, sssd_config_t)
3391ad
+	dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
3391ad
+	files_search_var_lib($1)
3391ad
 ')
3391ad
 
3391ad
 ########################################
3391ad
 ## <summary>
3391ad
-##	Create, read, write, and delete
3391ad
-##	sssd lib files.
3391ad
+##	Read sssd lib files.
3391ad
 ## </summary>
3391ad
 ## <param name="domain">
3391ad
 ##	<summary>
3391ad
@@ -144,18 +161,19 @@
3391ad
 ##	</summary>
3391ad
 ## </param>
3391ad
 #
3391ad
-interface(`sssd_manage_lib_files',`
3391ad
+interface(`sssd_read_lib_files',`
3391ad
 	gen_require(`
3391ad
 		type sssd_var_lib_t;
3391ad
 	')
3391ad
 
3391ad
 	files_search_var_lib($1)
3391ad
-	manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
3391ad
+	read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
3391ad
 ')
3391ad
 
3391ad
 ########################################
3391ad
 ## <summary>
3391ad
-##	Manage sssd var_lib files.
3391ad
+##	Create, read, write, and delete
3391ad
+##	sssd lib files.
3391ad
 ## </summary>
3391ad
 ## <param name="domain">
3391ad
 ##	<summary>
3391ad
@@ -163,17 +181,15 @@
3391ad
 ##	</summary>
3391ad
 ## </param>
3391ad
 #
3391ad
-interface(`sssd_manage_var_lib',`
3391ad
+interface(`sssd_manage_lib_files',`
3391ad
 	gen_require(`
3391ad
 		type sssd_var_lib_t;
3391ad
 	')
3391ad
 
3391ad
-         manage_dirs_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
3391ad
+	files_search_var_lib($1)
3391ad
          manage_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
3391ad
-         manage_lnk_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
3391ad
 ')
3391ad
 
3391ad
-
3391ad
 ########################################
3391ad
 ## <summary>
3391ad
 ##	Send and receive messages from
3391ad
@@ -238,16 +254,13 @@
3391ad
 #
3391ad
 interface(`sssd_admin',`
3391ad
 	gen_require(`
3391ad
-		type sssd_t;
3391ad
+		type sssd_t, sssd_public_t;
3391ad
+		type sssd_initrc_exec_t;
3391ad
 	')
3391ad
 
3391ad
 	allow $1 sssd_t:process { ptrace signal_perms getattr };
3391ad
 	read_files_pattern($1, sssd_t, sssd_t)
3391ad
 
3391ad
-	gen_require(`
3391ad
-		type sssd_initrc_exec_t;
3391ad
-	')
3391ad
-
3391ad
 	# Allow sssd_t to restart the apache service
3391ad
 	sssd_initrc_domtrans($1)
3391ad
 	domain_system_change_exemption($1)
3391ad
@@ -257,4 +270,6 @@
3391ad
 	sssd_manage_pids($1)
3391ad
 
3391ad
 	sssd_manage_lib_files($1)
3391ad
+
3391ad
+	admin_pattern($1, sssd_public_t)
3391ad
 ')
3391ad
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.32/policy/modules/services/sssd.te
3391ad
--- nsaserefpolicy/policy/modules/services/sssd.te	2010-01-18 18:24:22.901529830 +0100
3391ad
+++ serefpolicy-3.6.32/policy/modules/services/sssd.te	2010-01-19 17:08:54.487643800 +0100
3391ad
@@ -1,5 +1,5 @@
3391ad
 
3391ad
-policy_module(sssd, 1.0.0)
3391ad
+policy_module(sssd, 1.0.1)
3391ad
 
3391ad
 ########################################
3391ad
 #
3391ad
@@ -13,6 +13,9 @@
3391ad
 type sssd_initrc_exec_t;
3391ad
 init_script_file(sssd_initrc_exec_t)
3391ad
 
3391ad
+type sssd_public_t;
3391ad
+files_pid_file(sssd_public_t)
3391ad
+
3391ad
 type sssd_var_lib_t;
3391ad
 files_type(sssd_var_lib_t)
3391ad
 
3391ad
@@ -31,6 +34,9 @@
3391ad
 allow sssd_t self:fifo_file rw_file_perms;
3391ad
 allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
3391ad
 
3391ad
+manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
3391ad
+manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
3391ad
+
3391ad
 manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
3391ad
 manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
3391ad
 manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
3391ad
@@ -43,8 +49,6 @@
3391ad
 manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
3391ad
 files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
3391ad
 
3391ad
-fs_list_inotifyfs(sssd_t)
3391ad
-
3391ad
 kernel_read_system_state(sssd_t)
3391ad
 
3391ad
 corecmd_exec_bin(sssd_t)
3391ad
@@ -58,6 +62,8 @@
3391ad
 files_read_etc_files(sssd_t)
3391ad
 files_read_usr_files(sssd_t)
3391ad
 
3391ad
+fs_list_inotifyfs(sssd_t)
3391ad
+
3391ad
 auth_use_nsswitch(sssd_t)
3391ad
 auth_domtrans_chk_passwd(sssd_t)
3391ad
 auth_domtrans_upd_passwd(sssd_t)
3391ad
@@ -69,7 +75,7 @@
3391ad
 
3391ad
 miscfiles_read_localization(sssd_t)
3391ad
 
3391ad
-userdom_manage_tmp_role(system_t, sssd_t)
3391ad
+userdom_manage_tmp_role(system_r, sssd_t)
3391ad
 
3391ad
 optional_policy(`
3391ad
 	dbus_system_bus_client(sssd_t)
8e9aa2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.6.32/policy/modules/services/tftp.te
8e9aa2
--- nsaserefpolicy/policy/modules/services/tftp.te	2009-09-16 16:01:19.000000000 +0200
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/services/tftp.te	2010-01-19 12:02:02.773609654 +0100
8e9aa2
@@ -50,6 +50,7 @@
8e9aa2
 manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t)
8e9aa2
 files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
8e9aa2
 
8e9aa2
+kernel_read_system_state(tftpd_t)
8e9aa2
 kernel_read_kernel_sysctls(tftpd_t)
8e9aa2
 kernel_list_proc(tftpd_t)
8e9aa2
 kernel_read_proc_symlinks(tftpd_t)
e1add2
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.6.32/policy/modules/services/tgtd.te
e1add2
--- nsaserefpolicy/policy/modules/services/tgtd.te	2010-01-18 18:24:22.905534669 +0100
e1add2
+++ serefpolicy-3.6.32/policy/modules/services/tgtd.te	2010-01-26 14:33:27.943463104 +0100
e1add2
@@ -63,6 +63,7 @@
e1add2
 files_read_etc_files(tgtd_t)
e1add2
 
e1add2
 storage_getattr_fixed_disk_dev(tgtd_t)
e1add2
+storage_manage_fixed_disk(tgtd_t)
e1add2
 
e1add2
 logging_send_syslog_msg(tgtd_t)
e1add2
 
1f5c71
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
8e9aa2
--- nsaserefpolicy/policy/modules/services/virt.te	2010-01-18 18:24:22.915540061 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/services/virt.te	2010-01-18 18:27:02.776530834 +0100
8ad564
@@ -226,7 +226,7 @@
8ad564
 sysnet_domtrans_ifconfig(virtd_t)
8ad564
 sysnet_read_config(virtd_t)
8ad564
 
8ad564
-userdom_dontaudit_list_admin_dir(virtd_t)
8ad564
+userdom_list_admin_dir(virtd_t)
8ad564
 userdom_getattr_all_users(virtd_t)
8ad564
 userdom_list_user_home_content(virtd_t)
8ad564
 userdom_read_all_users_state(virtd_t)
1f5c71
@@ -430,6 +430,8 @@
1f5c71
 corenet_tcp_connect_virt_migration_port(virt_domain)
1f5c71
 
1f5c71
 dev_read_sound(virt_domain)
1f5c71
+dev_read_rand(virt_domain)
1f5c71
+dev_read_urand(virt_domain)
1f5c71
 dev_write_sound(virt_domain)
1f5c71
 dev_rw_ksm(virt_domain)
1f5c71
 dev_rw_kvm(virt_domain)
e0dd17
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
8e9aa2
--- nsaserefpolicy/policy/modules/services/xserver.fc	2010-01-18 18:24:22.917530119 +0100
8e9aa2
+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc	2010-01-18 18:27:02.777542764 +0100
e0dd17
@@ -65,6 +65,8 @@
e0dd17
 /usr/(s)?bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
e0dd17
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
e0dd17
 /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
e0dd17
+/usr/bin/lxdm       --  gen_context(system_u:object_r:xdm_exec_t,s0)
e0dd17
+/usr/bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
e0dd17
 /usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
e0dd17
 /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
e0dd17
 /usr/bin/Xephyr		--	gen_context(system_u:object_r:xserver_exec_t,s0)
e0dd17
@@ -105,6 +107,7 @@
e0dd17
 /var/log/[kw]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
e0dd17
 /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
e0dd17
 /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
e0dd17
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
e0dd17
 /var/log/nvidia-installer\.log.* --	gen_context(system_u:object_r:xserver_log_t,s0)
e0dd17
 
e0dd17
 /var/spool/gdm(/.*)?	 	gen_context(system_u:object_r:xdm_spool_t,s0)
e0dd17
@@ -116,6 +119,7 @@