Blob Blame Raw
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.12/policy/mcs
--- nsaserefpolicy/policy/mcs	2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/mcs	2009-06-25 10:21:01.000000000 +0200
@@ -66,7 +66,7 @@
 #
 # Note that getattr on files is always permitted.
 #
-mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+mlsconstrain { file chr_file blk_file sock_file lnk_file fifo_file } { write setattr append unlink link rename ioctl lock execute relabelfrom }
 	(( h1 dom h2 ) or ( t1 == mlsfilewrite ));
 
 mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
@@ -111,22 +111,22 @@
 	(( h1 dom h2 ) and ( l2 eq h2 ));
 
 # Access control for any database objects based on MCS rules.
-mlsconstrain db_database { drop setattr relabelfrom access install_module load_module get_param set_param }
+mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
 	( h1 dom h2 );
 
-mlsconstrain db_table { drop setattr relabelfrom select update insert delete use }
+mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
 	( h1 dom h2 );
 
-mlsconstrain db_column { drop setattr relabelfrom select update insert use }
+mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
 	( h1 dom h2 );
 
 mlsconstrain db_tuple { relabelfrom select update delete use }
 	( h1 dom h2 );
 
-mlsconstrain db_procedure { execute install }
+mlsconstrain db_procedure { drop getattr setattr execute install }
 	( h1 dom h2 );
 
-mlsconstrain db_blob { drop setattr relabelfrom read write }
+mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
 	( h1 dom h2 );
 
 ') dnl end enable_mcs
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.12/policy/modules/admin/certwatch.te
--- nsaserefpolicy/policy/modules/admin/certwatch.te	2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/certwatch.te	2009-06-25 10:21:01.000000000 +0200
@@ -1,5 +1,5 @@
 
-policy_module(certwatch, 1.3.0)
+policy_module(certwatch, 1.3.1)
 
 ########################################
 #
@@ -28,7 +28,7 @@
 fs_list_inotifyfs(certwatch_t)
 
 auth_manage_cache(certwatch_t)
-auth_filetrans_cache(certwatch_t)
+auth_var_filetrans_cache(certwatch_t)
 
 logging_send_syslog_msg(certwatch_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te	2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/prelink.te	2009-06-25 10:21:01.000000000 +0200
@@ -68,10 +68,11 @@
 files_list_all(prelink_t)
 files_getattr_all_files(prelink_t)
 files_write_non_security_dirs(prelink_t)
-files_read_etc_files(prelink_t)
-files_read_etc_runtime_files(prelink_t)
+auth_read_all_files_except_shadow(prelink_t)
 files_dontaudit_read_all_symlinks(prelink_t)
 files_manage_usr_files(prelink_t)
+# Delta RPMS
+files_manage_var_files(prelink_t)
 files_relabelfrom_usr_files(prelink_t)
 
 fs_getattr_xattr_fs(prelink_t)
@@ -102,5 +103,9 @@
 ')
 
 optional_policy(`
+	rpm_manage_tmp_files(prelink_t)
+')
+
+optional_policy(`
 	unconfined_domain(prelink_t)
 ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te	2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te	2009-06-25 10:21:01.000000000 +0200
@@ -55,6 +55,7 @@
 files_read_non_security_files(readahead_t)
 files_dontaudit_read_security_files(readahead_t)
 files_dontaudit_getattr_non_security_blk_files(readahead_t)
+files_create_boot_flag(readahead_t)
 
 fs_getattr_all_fs(readahead_t)
 fs_search_auto_mountpoints(readahead_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if	2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.if	2009-06-25 10:21:01.000000000 +0200
@@ -470,6 +470,24 @@
 
 ########################################
 ## <summary>
+##	Manage RPM tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`rpm_manage_tmp_files',`
+	gen_require(`
+		type rpm_tmp_t;
+	')
+
+	manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read, 
 ##	write RPM tmp files
 ## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.6.12/policy/modules/admin/shorewall.fc
--- nsaserefpolicy/policy/modules/admin/shorewall.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/admin/shorewall.fc	2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,12 @@
+
+/etc/rc\.d/init\.d/shorewall        	--      gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/shorewall-lite       --      gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
+
+/etc/shorewall(/.*)?            		gen_context(system_u:object_r:shorewall_etc_t,s0)
+/etc/shorewall-lite(/.*)?               	gen_context(system_u:object_r:shorewall_etc_t,s0)
+
+/sbin/shorewall				--	gen_context(system_u:object_r:shorewall_exec_t,s0)
+/sbin/shorewall-lite			--      gen_context(system_u:object_r:shorewall_exec_t,s0)
+
+/var/lib/shorewall(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+/var/lib/shorewall-lite(/.*)?           	gen_context(system_u:object_r:shorewall_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.6.12/policy/modules/admin/shorewall.if
--- nsaserefpolicy/policy/modules/admin/shorewall.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/admin/shorewall.if	2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,166 @@
+## <summary>policy for shorewall</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run shorewall.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`shorewall_domtrans',`
+	gen_require(`
+		type shorewall_t; 
+		type shorewall_exec_t;
+	')
+
+	domtrans_pattern($1, shorewall_exec_t, shorewall_t)
+')
+
+#######################################
+## <summary>
+##      Read shorewall etc configuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`shorewall_read_etc',`
+        gen_require(`
+                type shorewall_etc_t;
+        ')
+
+        files_search_etc($1)
+        read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
+')
+
+#######################################
+## <summary>
+##      Read shorewall PID files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`shorewall_read_pid_files',`
+        gen_require(`
+                type shorewall_var_run_t;
+        ')
+
+        files_search_pids($1)
+        read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+')
+
+#######################################
+## <summary>
+##      Read and write shorewall PID files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`shorewall_rw_pid_files',`
+        gen_require(`
+                type shorewall_var_run_t;
+        ')
+
+        files_search_pids($1)
+        rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+')
+
+######################################
+## <summary>
+##      Read shorewall /var/lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`shorewall_read_var_lib',`
+        gen_require(`
+                type shorewall_t;
+       ')
+
+        files_search_var_lib($1)
+        search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+        read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+')
+
+#######################################
+## <summary>
+##      Read and write shorewall /var/lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`shorewall_rw_var_lib',`
+        gen_require(`
+                type shorewall_t;
+       ')
+
+        files_search_var_lib($1)
+        search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+        rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+')
+
+#######################################
+## <summary>
+##      All of the rules required to administrate 
+##      an shorewall environment
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      The role to be allowed to manage the syslog domain.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`shorewall_admin',`
+        gen_require(`
+                type shorewall_t, shorewall_var_run_t, shorewall_lock_t;
+                type shorewall_initrc_exec_t, shorewall_var_lib_t;
+                type shorewall_tmp_t;
+        ')
+
+        allow $1 shorewall_t:process { ptrace signal_perms };
+        ps_process_pattern($1, shorewall_t)
+
+        init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
+        domain_system_change_exemption($1)
+        role_transition $2 shorewall_initrc_exec_t system_r;
+        allow $2 system_r;
+
+        files_search_etc($1)
+        admin_pattern($1, shorewall_etc_t)
+
+	files_search_locks($1)
+	admin_pattern($1, shorewall_lock_t)
+
+        files_search_pids($1)
+        admin_pattern($1, shorewall_var_run_t)
+
+        files_search_var_lib($1)
+        admin_pattern($1, shorewall_var_lib_t)
+
+        files_search_tmp($1)
+        admin_pattern($1, shorewall_tmp_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.6.12/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/admin/shorewall.te	2009-06-25 10:41:25.000000000 +0200
@@ -0,0 +1,103 @@
+policy_module(shorewall,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type shorewall_t;
+type shorewall_exec_t;
+init_system_domain(shorewall_t, shorewall_exec_t)
+
+type shorewall_initrc_exec_t;
+init_script_file(shorewall_initrc_exec_t)
+
+# etc files
+type shorewall_etc_t;
+files_config_file(shorewall_etc_t)
+
+# lock files
+type shorewall_lock_t;
+files_lock_file(shorewall_lock_t)
+
+# tmp files
+type shorewall_tmp_t;
+files_tmp_file(shorewall_tmp_t)
+
+# var/lib files
+type shorewall_var_lib_t;
+files_type(shorewall_var_lib_t)
+
+########################################
+#
+# shorewall local policy
+#
+
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace};
+dontaudit shorewall_t self:capability sys_tty_config;
+allow shorewall_t self:process signal;
+
+allow shorewall_t self:fifo_file rw_fifo_file_perms;
+
+# etc file
+read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+
+# lock files
+manage_files_pattern(shorewall_t,shorewall_lock_t,shorewall_lock_t)
+files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
+
+# var/lib files for shorewall
+exec_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
+manage_dirs_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
+manage_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
+files_var_lib_filetrans(shorewall_t,shorewall_var_lib_t, { dir file })
+
+# tmp files for shorewall
+manage_dirs_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
+manage_files_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
+files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(shorewall_t)
+kernel_read_system_state(shorewall_t)
+kernel_read_network_state(shorewall_t)
+kernel_rw_net_sysctls(shorewall_t)
+
+corecmd_exec_bin(shorewall_t)
+corecmd_exec_shell(shorewall_t)
+
+dev_read_urand(shorewall_t)
+
+fs_getattr_all_fs(shorewall_t)
+
+domain_read_all_domains_state(shorewall_t)
+
+files_getattr_kernel_modules(shorewall_t)
+files_read_etc_files(shorewall_t)
+files_read_usr_files(shorewall_t)
+files_search_kernel_modules(shorewall_t)
+
+init_rw_utmp(shorewall_t)
+
+libs_use_ld_so(shorewall_t)
+libs_use_shared_libs(shorewall_t)
+
+logging_send_syslog_msg(shorewall_t)
+
+miscfiles_read_localization(shorewall_t)
+
+userdom_dontaudit_list_admin_dir(shorewall_t)
+
+sysnet_domtrans_ifconfig(shorewall_t)
+iptables_domtrans(shorewall_t)
+
+optional_policy(`
+        modutils_domtrans_insmod(shorewall_t)
+')
+
+optional_policy(`
+	ulogd_search_log(shorewall_t)
+')
+
+permissive shorewall_t;
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.12/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te	2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/usermanage.te	2009-06-25 10:21:01.000000000 +0200
@@ -209,6 +209,7 @@
 files_manage_etc_files(groupadd_t)
 files_relabel_etc_files(groupadd_t)
 files_read_etc_runtime_files(groupadd_t)
+files_read_usr_symlinks(groupadd_t)
 
 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
 corecmd_exec_bin(groupadd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.12/policy/modules/apps/gitosis.fc
--- nsaserefpolicy/policy/modules/apps/gitosis.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.fc	2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,4 @@
+
+/usr/bin/gitosis-serve			--        gen_context(system_u:object_r:gitosis_exec_t,s0)
+
+/var/lib/gitosis(/.*)?                            gen_context(system_u:object_r:gitosis_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.12/policy/modules/apps/gitosis.if
--- nsaserefpolicy/policy/modules/apps/gitosis.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.if	2009-06-25 10:28:47.000000000 +0200
@@ -0,0 +1,94 @@
+## <summary>gitosis interface</summary>
+
+#######################################
+## <summary>
+##      Execute a domain transition to run gitosis.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gitosis_domtrans',`
+        gen_require(`
+                type gitosis_t, gitosis_exec_t;
+        ')
+
+        domtrans_pattern($1, gitosis_exec_t, gitosis_t)
+')
+
+#######################################
+## <summary>
+##      Execute gitosis-serve in the gitosis domain, and
+##      allow the specified role the gitosis domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      The role to be allowed the gitosis domain.
+##      </summary>
+## </param>
+## <param name="terminal">
+##      <summary>
+##      The type of the role's terminal.
+##      </summary>
+## </param>
+#
+interface(`gitosis_run',`
+        gen_require(`
+                type gitosis_t;
+        ')
+
+        gitosis_domtrans($1)
+        role $2 types gitosis_t;
+        allow gitosis_t $3:chr_file rw_term_perms;
+')
+
+#######################################
+## <summary>
+##      Allow the specified domain to read
+##      gitosis lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gitosis_read_var_lib',`
+        gen_require(`
+                type gitosis_var_lib_t;
+
+        ')
+
+        read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+	read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+        list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
+
+######################################
+## <summary>
+##      Allow the specified domain to manage
+##      gitosis lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gitosis_manage_var_lib',`
+        gen_require(`
+                type gitosis_var_lib_t;
+
+        ')
+
+        manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+        manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+	manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.12/policy/modules/apps/gitosis.te
--- nsaserefpolicy/policy/modules/apps/gitosis.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.te	2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,43 @@
+policy_module(gitosis,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gitosis_t;
+type gitosis_exec_t;
+application_domain(gitosis_t, gitosis_exec_t)
+role system_r types gitosis_t;
+
+type gitosis_var_lib_t;
+files_type(gitosis_var_lib_t)
+
+########################################
+#
+# gitosis local policy
+#
+
+allow gitosis_t self:fifo_file rw_fifo_file_perms;
+
+exec_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+manage_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+manage_lnk_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+manage_dirs_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+
+corecmd_exec_bin(gitosis_t) 
+corecmd_exec_shell(gitosis_t)
+
+kernel_read_system_state(gitosis_t)
+
+files_read_usr_files(gitosis_t)
+files_search_var_lib(gitosis_t)
+
+libs_use_ld_so(gitosis_t)
+libs_use_shared_libs(gitosis_t)
+
+miscfiles_read_localization(gitosis_t)
+
+optional_policy(`
+	ssh_rw_pipes(gitosis_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.12/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if	2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/mozilla.if	2009-06-26 15:48:23.000000000 +0200
@@ -64,6 +64,7 @@
 
 	allow $1 mozilla_home_t:dir list_dir_perms;
 	allow $1 mozilla_home_t:file read_file_perms;
+	allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
 	userdom_search_user_home_dirs($1)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.12/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te	2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/mozilla.te	2009-06-25 10:21:01.000000000 +0200
@@ -145,6 +145,7 @@
 userdom_manage_user_tmp_dirs(mozilla_t)
 userdom_manage_user_tmp_files(mozilla_t)
 userdom_manage_user_tmp_sockets(mozilla_t)
+userdom_use_user_ptys(mozilla_t)
 
 xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
 xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.12/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc	2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/qemu.fc	2009-06-25 10:21:01.000000000 +0200
@@ -1,2 +1,3 @@
 /usr/bin/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.12/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te	2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/qemu.te	2009-06-25 10:21:01.000000000 +0200
@@ -88,11 +88,16 @@
 ')
 
 optional_policy(`
+	dbus_system_bus_client(qemu_t)
+')
+
+optional_policy(`
 	samba_domtrans_smb(qemu_t)
 ')
 
 optional_policy(`
 	virt_manage_images(qemu_t)
+	virt_append_log(qemu_t)
 ')
 
 optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.12/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if	2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.if	2009-06-25 10:21:01.000000000 +0200
@@ -3,73 +3,143 @@
 
 ########################################
 ## <summary>
-##	Execute a domain transition to run sandbox.
+##	Execute sandbox in the sandbox domain, and
+##	allow the specified role the sandbox domain.
 ## </summary>
 ## <param name="domain">
 ## <summary>
-##	Domain allowed to transition.
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the sandbox domain.
 ## </summary>
 ## </param>
 #
-interface(`sandbox_domtrans',`
+interface(`sandbox_transition',`
 	gen_require(`
-		type sandbox_t;
-                type sandbox_exec_t;
+		type sandbox_xserver_t;
+		attribute sandbox_domain;
 	')
 
-	domtrans_pattern($1,sandbox_exec_t,sandbox_t)
+	allow $1 sandbox_domain:process transition;
+	dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+	role $2 types sandbox_domain;
+	role $2 types sandbox_xserver_t;
 ')
 
-
 ########################################
 ## <summary>
-##	Execute sandbox in the sandbox domain, and
-##	allow the specified role the sandbox domain.
+##	Creates types and rules for a basic
+##	qemu process domain.
 ## </summary>
-## <param name="domain">
+## <param name="prefix">
 ##	<summary>
-##	Domain allowed access
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed the sandbox domain.
+##	Prefix for the domain.
 ##	</summary>
 ## </param>
 #
-interface(`sandbox_run',`
+template(`sandbox_domain_template',`
+
 	gen_require(`
-		type sandbox_t;
+		attribute sandbox_domain;
 	')
 
-	sandbox_domtrans($1)
-	role $2 types sandbox_t;
+	type $1_t, sandbox_domain;
+	domain_type($1_t)
+
+	type $1_file_t;
+	files_type($1_file_t)
+
+	can_exec($1_t, $1_file_t)
+	manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
+	manage_files_pattern($1_t, $1_file_t, $1_file_t)
+	manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
+	manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
+	manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
 ')
 
 ########################################
 ## <summary>
-##	Role access for sandbox
+##	Creates types and rules for a basic
+##	qemu process domain.
 ## </summary>
-## <param name="role">
+## <param name="prefix">
 ##	<summary>
-##	Role allowed access
+##	Prefix for the domain.
 ##	</summary>
 ## </param>
+#
+template(`sandbox_x_domain_template',`
+	gen_require(`
+		type xserver_exec_t;
+		type sandbox_xserver_t;
+		attribute sandbox_domain, sandbox_x_domain;
+	')
+
+	sandbox_domain_template($1)
+
+	
+	typeattribute $1_t sandbox_x_domain;
+
+	# window manager
+	miscfiles_setattr_fonts($1_t)
+	allow $1_t self:capability setuid;
+
+	type $1_client_t, sandbox_x_domain, sandbox_domain;
+	domain_type($1_client_t)
+
+	type $1_client_tmpfs_t;
+	files_tmpfs_file($1_client_tmpfs_t)
+
+	allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr };
+	term_create_pty($1_client_t,sandbox_devpts_t)
+
+	manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
+	fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
+	allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
+
+	domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
+	allow $1_t sandbox_xserver_t:process sigkill;
+
+	domtrans_pattern($1_t, $1_file_t, $1_client_t)
+	domain_entry_file($1_client_t,  $1_file_t)
+
+	manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
+	manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
+	manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
+	allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms;
+	ps_process_pattern(sandbox_xserver_t, $1_client_t)
+	ps_process_pattern(sandbox_xserver_t, $1_t)
+	allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
+	allow sandbox_xserver_t $1_t:shm rw_shm_perms;
+
+	can_exec($1_client_t, $1_file_t)
+	manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t)
+	manage_files_pattern($1_client_t, $1_file_t, $1_file_t)
+	manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
+	manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
+	manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
+
+#	permissive $1_client_t;
+')
+
+########################################
+## <summary>
+##	allow domain to read, 
+##	write sandbox_xserver tmp files
+## </summary>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`sandbox_role',`
+interface(`sandbox_rw_xserver_tmpfs_files',`
 	gen_require(`
-              type sandbox_t;
+		type sandbox_xserver_tmpfs_t;
 	')
 
-	role $2 types sandbox_t;
-
-	sandbox_domtrans($1)
-
-	ps_process_pattern($2, sandbox_t)
-	allow $2 sandbox_t:process signal;
+	allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
 ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te	2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te	2009-06-25 10:21:01.000000000 +0200
@@ -1,18 +1,84 @@
 policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
+attribute sandbox_x_domain;
 
 ########################################
 #
 # Declarations
 #
 
-type sandbox_t;
-type sandbox_exec_t;
-application_domain(sandbox_t, sandbox_exec_t)
-init_daemon_domain(sandbox_t, sandbox_exec_t)
-role system_r types sandbox_t;
+sandbox_domain_template(sandbox)
+sandbox_x_domain_template(sandbox_x)
+sandbox_x_domain_template(sandbox_web)
+sandbox_x_domain_template(sandbox_net)
 
-type sandbox_file_t;
-files_type(sandbox_file_t)
+type sandbox_xserver_t;
+domain_type(sandbox_xserver_t)
+xserver_common_app(sandbox_xserver_t)
+permissive sandbox_xserver_t;
+
+type sandbox_xserver_tmpfs_t;
+files_tmpfs_file(sandbox_xserver_tmpfs_t)
+
+type sandbox_devpts_t;
+term_pty(sandbox_devpts_t)
+files_type(sandbox_devpts_t)
+
+########################################
+#
+# sandbox xserver policy
+#
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
+allow sandbox_xserver_t self:shm create_shm_perms;
+allow sandbox_xserver_t self:tcp_socket create_socket_perms;
+
+manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+corecmd_exec_bin(sandbox_xserver_t)
+corecmd_exec_shell(sandbox_xserver_t)
+
+corenet_all_recvfrom_unlabeled(sandbox_xserver_t)
+corenet_all_recvfrom_netlabel(sandbox_xserver_t)
+corenet_tcp_sendrecv_generic_if(sandbox_xserver_t)
+corenet_udp_sendrecv_generic_if(sandbox_xserver_t)
+corenet_tcp_sendrecv_generic_node(sandbox_xserver_t)
+corenet_udp_sendrecv_generic_node(sandbox_xserver_t)
+corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_tcp_bind_generic_node(sandbox_xserver_t)
+corenet_tcp_bind_xserver_port(sandbox_xserver_t)
+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
+corenet_sendrecv_all_client_packets(sandbox_xserver_t)
+
+files_read_etc_files(sandbox_xserver_t)
+files_read_usr_files(sandbox_xserver_t)
+files_search_home(sandbox_xserver_t)
+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
+
+miscfiles_read_fonts(sandbox_xserver_t)
+miscfiles_read_localization(sandbox_xserver_t)
+
+kernel_read_system_state(sandbox_xserver_t)
+
+auth_use_nsswitch(sandbox_xserver_t)
+
+userdom_use_user_terminals(sandbox_xserver_t)
+
+xserver_entry_type(sandbox_xserver_t)
+
+optional_policy(`
+	dbus_system_bus_client(sandbox_xserver_t)
+
+	optional_policy(`
+		hal_dbus_chat(sandbox_xserver_t)
+	')
+')
 
 ########################################
 #
@@ -20,21 +86,189 @@
 #
 
 ## internal communication is often done using fifo and unix sockets.
-allow sandbox_t self:fifo_file rw_file_perms;
-allow sandbox_t self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_domain self:fifo_file rw_file_perms;
+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
+
+files_rw_all_inherited_files(sandbox_domain)
+files_entrypoint_all_files(sandbox_domain)
+
+miscfiles_read_localization(sandbox_domain)
+
+kernel_dontaudit_read_system_state(sandbox_domain)
+corecmd_exec_all_executables(sandbox_domain)
+
+
+########################################
+#
+# sandbox_x_domain local policy
+#
+allow sandbox_x_domain self:process { signal_perms getsched setpgid };
+allow sandbox_x_domain self:shm create_shm_perms;
+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
+allow sandbox_x_domain self:unix_dgram_socket create_socket_perms;
+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+dev_read_urand(sandbox_x_domain)
+dev_dontaudit_read_rand(sandbox_x_domain)
+
+files_read_etc_files(sandbox_x_domain)
+files_read_usr_files(sandbox_x_domain)
+files_read_usr_symlinks(sandbox_x_domain)
+
+fs_getattr_tmpfs(sandbox_x_domain)
+fs_getattr_xattr_fs(sandbox_x_domain)
+
+auth_dontaudit_read_login_records(sandbox_x_domain)
+
+init_read_utmp(sandbox_x_domain)
+
+term_getattr_pty_fs(sandbox_x_domain)
+term_use_ptmx(sandbox_x_domain)
+
+logging_send_syslog_msg(sandbox_x_domain)
+
+miscfiles_read_fonts(sandbox_x_domain)
+
+optional_policy(`
+	gnome_read_gconf_config(sandbox_x_domain)
+')
+
+optional_policy(`
+	cups_stream_connect(sandbox_x_domain)
+	cups_read_rw_config(sandbox_x_domain)
+')
+
+########################################
+#
+# sandbox_x_client_t local policy
+#
+allow sandbox_x_client_t self:tcp_socket create_socket_perms;
+allow sandbox_x_client_t self:udp_socket create_socket_perms;
+allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
+allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
+
+dev_read_rand(sandbox_x_client_t)
+
+corenet_tcp_connect_ipp_port(sandbox_x_client_t)
+
+auth_use_nsswitch(sandbox_x_client_t)
+
+dbus_system_bus_client(sandbox_x_client_t)
+dbus_read_config(sandbox_x_client_t)
+selinux_get_fs_mount(sandbox_x_client_t)
+selinux_validate_context(sandbox_x_client_t)
+selinux_compute_access_vector(sandbox_x_client_t)
+selinux_compute_create_context(sandbox_x_client_t)
+selinux_compute_relabel_context(sandbox_x_client_t)
+selinux_compute_user_contexts(sandbox_x_client_t)
+seutil_read_default_contexts(sandbox_x_client_t)
+
+optional_policy(`
+	hal_dbus_chat(sandbox_x_client_t)
+')
+
+########################################
+#
+# sandbox_web_client_t local policy
+#
+allow sandbox_web_client_t self:capability { setuid setgid };
+allow sandbox_web_client_t self:netlink_audit_socket nlmsg_relay;
+allow sandbox_web_client_t self:process setsched;
+
+allow sandbox_web_client_t self:tcp_socket create_socket_perms;
+allow sandbox_web_client_t self:udp_socket create_socket_perms;
+allow sandbox_web_client_t self:dbus { acquire_svc send_msg };
+allow sandbox_web_client_t self:netlink_selinux_socket create_socket_perms;
+
+dev_read_rand(sandbox_web_client_t)
+
+# Browse the web, connect to printer
+corenet_all_recvfrom_unlabeled(sandbox_web_client_t)
+corenet_all_recvfrom_netlabel(sandbox_web_client_t)
+corenet_tcp_sendrecv_generic_if(sandbox_web_client_t)
+corenet_raw_sendrecv_generic_if(sandbox_web_client_t)
+corenet_tcp_sendrecv_generic_node(sandbox_web_client_t)
+corenet_raw_sendrecv_generic_node(sandbox_web_client_t)
+corenet_tcp_sendrecv_http_port(sandbox_web_client_t)
+corenet_tcp_sendrecv_http_cache_port(sandbox_web_client_t)
+corenet_tcp_sendrecv_ftp_port(sandbox_web_client_t)
+corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t)
+corenet_tcp_connect_http_port(sandbox_web_client_t)
+corenet_tcp_connect_http_cache_port(sandbox_web_client_t)
+corenet_tcp_connect_ftp_port(sandbox_web_client_t)
+corenet_tcp_connect_ipp_port(sandbox_web_client_t)
+corenet_tcp_connect_generic_port(sandbox_web_client_t)
+corenet_sendrecv_http_client_packets(sandbox_web_client_t)
+corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t)
+corenet_sendrecv_ftp_client_packets(sandbox_web_client_t)
+corenet_sendrecv_ipp_client_packets(sandbox_web_client_t)
+corenet_sendrecv_generic_client_packets(sandbox_web_client_t)
+# Should not need other ports
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
+corenet_tcp_connect_speech_port(sandbox_web_client_t)
+
+auth_use_nsswitch(sandbox_web_client_t)
+
+dbus_system_bus_client(sandbox_web_client_t)
+dbus_read_config(sandbox_web_client_t)
+selinux_get_fs_mount(sandbox_web_client_t)
+selinux_validate_context(sandbox_web_client_t)
+selinux_compute_access_vector(sandbox_web_client_t)
+selinux_compute_create_context(sandbox_web_client_t)
+selinux_compute_relabel_context(sandbox_web_client_t)
+selinux_compute_user_contexts(sandbox_web_client_t)
+seutil_read_default_contexts(sandbox_web_client_t)
+
+optional_policy(`
+	nsplugin_read_rw_files(sandbox_web_client_t)
+	nsplugin_rw_exec(sandbox_web_client_t)
+')
+
+optional_policy(`
+	hal_dbus_chat(sandbox_web_client_t)
+')
+
+########################################
+#
+# sandbox_net_client_t local policy
+#
+allow sandbox_net_client_t self:tcp_socket create_socket_perms;
+allow sandbox_net_client_t self:udp_socket create_socket_perms;
+allow sandbox_net_client_t self:dbus { acquire_svc send_msg };
+allow sandbox_net_client_t self:netlink_selinux_socket create_socket_perms;
+
+dev_read_rand(sandbox_net_client_t)
 
-manage_dirs_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
-manage_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
-manage_lnk_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
-manage_fifo_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
-manage_sock_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
+corenet_all_recvfrom_unlabeled(sandbox_net_client_t)
+corenet_all_recvfrom_netlabel(sandbox_net_client_t)
+corenet_tcp_sendrecv_generic_if(sandbox_net_client_t)
+corenet_udp_sendrecv_generic_if(sandbox_net_client_t)
+corenet_tcp_sendrecv_generic_node(sandbox_net_client_t)
+corenet_udp_sendrecv_generic_node(sandbox_net_client_t)
+corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_tcp_connect_all_ports(sandbox_net_client_t)
+corenet_sendrecv_all_client_packets(sandbox_net_client_t)
 
-files_rw_all_inherited_files(sandbox_t)
-files_entrypoint_all_files(sandbox_t)
+auth_use_nsswitch(sandbox_net_client_t)
 
-libs_use_ld_so(sandbox_t)
-libs_use_shared_libs(sandbox_t)
+dbus_system_bus_client(sandbox_net_client_t)
+dbus_read_config(sandbox_net_client_t)
+selinux_get_fs_mount(sandbox_net_client_t)
+selinux_validate_context(sandbox_net_client_t)
+selinux_compute_access_vector(sandbox_net_client_t)
+selinux_compute_create_context(sandbox_net_client_t)
+selinux_compute_relabel_context(sandbox_net_client_t)
+selinux_compute_user_contexts(sandbox_net_client_t)
+seutil_read_default_contexts(sandbox_net_client_t)
 
-miscfiles_read_localization(sandbox_t)
+optional_policy(`
+	nsplugin_read_rw_files(sandbox_web_client_t)
+	nsplugin_rw_exec(sandbox_web_client_t)
+')
 
-userdom_use_user_ptys(sandbox_t)
+optional_policy(`
+	hal_dbus_chat(sandbox_net_client_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.12/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc	2009-04-07 21:54:49.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.fc	2009-06-25 10:21:01.000000000 +0200
@@ -63,6 +63,7 @@
 ')
 
 /var/log/vmware.* 		--	gen_context(system_u:object_r:vmware_log_t,s0)
+/var/log/vnetlib.*		--	gen_context(system_u:object_r:vmware_log_t,s0)
 
 /var/run/vmnat.* 		-s	gen_context(system_u:object_r:vmware_var_run_t,s0)
 /var/run/vmware.* 			gen_context(system_u:object_r:vmware_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.12/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.te	2009-06-25 10:21:01.000000000 +0200
@@ -136,7 +136,7 @@
 
 miscfiles_read_localization(vmware_host_t)
 
-sysnet_dns_name_resolve(vmware_host_t)
+auth_use_nsswitch(vmware_host_t)
 
 storage_getattr_fixed_disk_dev(vmware_host_t)
 
@@ -160,6 +160,10 @@
         xserver_common_app(vmware_host_t)
 ')
 
+optional_policy(`
+	unconfined_domain(vmware_host_t)
+	unconfined_domain(vmware_t)
+')
 
 ifdef(`TODO',`
 # VMWare need access to pcmcia devices for network
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc	2009-06-25 10:21:01.000000000 +0200
@@ -7,6 +7,7 @@
 /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/ksh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -69,6 +70,8 @@
 /etc/ppp/ipv6-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/ppp/ipv6-down\..*		--	gen_context(system_u:object_r:bin_t,s0)
 
+/etc/racoon/scripts(/.*)?  		gen_context(system_u:object_r:bin_t,s0)
+
 /etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)
 
 /etc/security/namespace.init    --      gen_context(system_u:object_r:bin_t,s0)
@@ -145,6 +148,7 @@
 /usr/(.*/)?Bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/bin/git-shell		--	gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
 
 /usr/lib(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@@ -217,8 +221,11 @@
 /usr/share/PackageKit/pk-upgrade-distro\.sh -- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/PackageKit/helpers(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/configpath	--      gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-perl(/.*)?	        gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall-shell(/.*)?        gen_context(system_u:object_r:bin_t,s0)
-/usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall6-lite(/.*)?        gen_context(system_u:object_r:bin_t,s0)
 
 /usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in	2009-06-25 10:21:01.000000000 +0200
@@ -134,7 +134,7 @@
 network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
 network_port(lmtp, tcp,24,s0, udp,24,s0)
-network_port(mail, tcp,2000,s0)
+network_port(mail, tcp,2000,s0, tcp,3905,s0)
 network_port(memcache, tcp,11211,s0, udp,11211,s0)
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
 network_port(monopd, tcp,1234,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.12/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.fc	2009-06-25 10:21:01.000000000 +0200
@@ -46,8 +46,10 @@
 /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
 /dev/kqemu		-c	gen_context(system_u:object_r:qemu_device_t,s0)
+/dev/ksm		-c	gen_context(system_u:object_r:ksm_device_t,s0)
 /dev/kvm		-c	gen_context(system_u:object_r:kvm_device_t,s0)
 /dev/lik.*		-c	gen_context(system_u:object_r:event_device_t,s0)
+/dev/lirc[0-9]+        -c      gen_context(system_u:object_r:lirc_device_t,s0)
 /dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if	2009-06-25 10:21:01.000000000 +0200
@@ -1727,6 +1727,133 @@
 
 ########################################
 ## <summary>
+##	Get the attributes of the ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_ksm_dev',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_ksm_dev',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+##	Read the ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_ksm',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+##      Read and write to ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_ksm',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+######################################
+## <summary>
+##      Read the lirc device.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_read_lirc',`
+        gen_require(`
+                type device_t, lirc_device_t;
+        ')
+
+        read_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+######################################
+## <summary>
+##      Read and write the lirc device.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_rw_lirc',`
+        gen_require(`
+                type device_t, lirc_device_t;
+        ')
+
+        rw_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+######################################
+## <summary>
+##      Automatic type transition to the type
+##      for lirc device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_filetrans_lirc',`
+        gen_require(`
+                type device_t, lirc_device_t;
+        ')
+
+        filetrans_pattern($1, device_t, lirc_device_t, chr_file)
+')
+
+########################################
+## <summary>
 ##	Read the lvm comtrol device.
 ## </summary>
 ## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.12/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.te	2009-06-25 10:21:01.000000000 +0200
@@ -78,6 +78,13 @@
 dev_node(ipmi_device_t)
 
 #
+# ksm_device_t is the type of
+# /dev/ksm
+#
+type ksm_device_t;
+dev_node(ksm_device_t)
+
+#
 # Type for /dev/kmsg
 #
 type kmsg_device_t;
@@ -91,6 +98,12 @@
 dev_node(kvm_device_t)
 
 #
+# Type for /dev/lirc
+#
+type lirc_device_t;
+dev_node(lirc_device_t)
+
+#
 # Type for /dev/mapper/control
 #
 type lvm_control_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if	2009-06-25 10:21:01.000000000 +0200
@@ -44,34 +44,6 @@
 interface(`domain_type',`
 	# start with basic domain
 	domain_base_type($1)
-
-	ifdef(`distro_redhat',`
-		optional_policy(`
-			unconfined_use_fds($1)
-		')
-	')
-
-	# send init a sigchld and signull
-	optional_policy(`
-		init_sigchld($1)
-		init_signull($1)
-	')
-
-	# these seem questionable:
-
-	optional_policy(`
-		rpm_use_fds($1)
-		rpm_read_pipes($1)
-	')
-
-	optional_policy(`
-		selinux_dontaudit_getattr_fs($1)
-		selinux_dontaudit_read_fs($1)
-	')
-
-	optional_policy(`
-		seutil_dontaudit_read_config($1)
-	')
 ')
 
 ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te	2009-06-26 15:48:29.000000000 +0200
@@ -91,6 +91,9 @@
 kernel_read_proc_symlinks(domain)
 kernel_read_crypto_sysctls(domain)
 
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
+
 # Every domain gets the key ring, so we should default
 # to no one allowed to look at it; afs kernel support creates
 # a keyring
@@ -108,6 +111,15 @@
 # list the root directory
 files_list_root(domain)
 
+selinux_getattr_fs(domain)
+selinux_search_fs(domain)
+selinux_dontaudit_read_fs(domain)
+
+init_sigchld(domain)
+init_signull(domain)
+
+seutil_dontaudit_read_config(domain)
+
 tunable_policy(`global_ssp',`
 	# enable reading of urandom for all domains:
 	# this should be enabled when all programs
@@ -116,6 +128,12 @@
 	dev_read_urand(domain)
 ')
 
+ifdef(`distro_redhat',`
+	optional_policy(`
+		unconfined_use_fds(domain)
+	')
+')
+
 optional_policy(`
 	afs_rw_cache(domain)
 ')
@@ -125,6 +143,12 @@
 	libs_use_shared_libs(domain)
 ')
 
+# these seem questionable:
+optional_policy(`
+	rpm_use_fds(domain)
+	rpm_read_pipes(domain)
+')
+
 optional_policy(`
 	setrans_translate_context(domain)
 ')
@@ -152,8 +176,7 @@
 allow unconfined_domain_type domain:fd use;
 allow unconfined_domain_type domain:fifo_file rw_file_perms;
 
-allow unconfined_domain_type domain:dbus send_msg;
-allow domain unconfined_domain_type:dbus send_msg;
+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
 
 # Act upon any other process.
 allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
@@ -185,7 +208,9 @@
 
 ifdef(`hide_broken_symptoms',`
 	fs_list_inotifyfs(domain)
+	dontaudit domain self:udp_socket listen;
 	allow domain domain:key { link search };
+	dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
 ')
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if	2009-06-25 10:21:01.000000000 +0200
@@ -1953,6 +1953,7 @@
 	allow $1 etc_t:dir list_dir_perms;
 	read_files_pattern($1, etc_t, etc_t)
 	read_lnk_files_pattern($1, etc_t, etc_t)
+	files_read_etc_runtime_files($1)
 ')
 
 ########################################
@@ -3734,6 +3735,7 @@
 	allow $1 usr_t:dir list_dir_perms;
 	read_files_pattern($1, usr_t, usr_t)
 	read_lnk_files_pattern($1, usr_t, usr_t)
+	files_read_usr_src_files($1)
 ')
 
 ########################################
@@ -5224,6 +5226,7 @@
 		attribute file_type;
 	')
 
+	allow $1 file_type:dir search_dir_perms;
 	allow $1 file_type:file { getattr read write append lock };
 	allow $1 file_type:fifo_file { getattr read write append ioctl lock };
 	allow $1 file_type:sock_file { getattr read write append ioctl lock };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if	2009-06-25 10:21:01.000000000 +0200
@@ -817,7 +817,7 @@
 		type proc_t;
 	')
 
-	dontaudit $1 proc_t:file { getattr read };
+	dontaudit $1 proc_t:file { open getattr read };
 ')
 
 ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.12/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/terminal.if	2009-06-25 10:21:01.000000000 +0200
@@ -571,6 +571,25 @@
 	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
 ')
 
+#######################################
+## <summary>
+##      Set the attributes of the tty device
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`term_setattr_controlling_term',`
+       gen_require(`
+               type devtty_t;
+       ')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devtty_t:chr_file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the controlling
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/roles/staff.te	2009-06-25 10:21:01.000000000 +0200
@@ -44,6 +44,10 @@
 ')
 
 optional_policy(`
+	postgresql_role(staff_r, staff_t)
+')
+
+optional_policy(`
 	secadm_role_change(staff_r)
 ')
 
@@ -95,6 +99,10 @@
 ')
 
 optional_policy(`
+	sandbox_transition(staff_t, staff_r)
+')
+
+optional_policy(`
 	screen_manage_var_run(staff_t)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.12/policy/modules/roles/sysadm.if
--- nsaserefpolicy/policy/modules/roles/sysadm.if	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.if	2009-06-25 10:21:01.000000000 +0200
@@ -116,6 +116,41 @@
 
 ########################################
 ## <summary>
+##	Allow sysadm to execute all entrypoint files in
+##	a specified domain.  This is an explicit transition,
+##	requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+##	<p>
+##	Allow sysadm to execute all entrypoint files in
+##	a specified domain.  This is an explicit transition,
+##	requiring the caller to use setexeccon().
+##	</p>
+##	<p>
+##	This is a interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_entry_spec_domtrans_to',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	domain_entry_file_spec_domtrans(sysadm_t, $1)
+	allow $1 sysadm_t:fd use;
+	allow $1 sysadm_t:fifo_file rw_file_perms;
+	allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Allow sysadm to execute a generic bin program in
 ##	a specified domain.  This is an explicit transition,
 ##	requiring the caller to use setexeccon().
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te	2009-06-25 10:21:01.000000000 +0200
@@ -334,6 +334,10 @@
 ')
 
 optional_policy(`
+	virt_stream_connect(sysadm_t)
+')
+
+optional_policy(`
 	yam_run(sysadm_t, sysadm_r)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te	2009-06-25 10:21:01.000000000 +0200
@@ -52,6 +52,8 @@
 init_system_domain(unconfined_execmem_t, execmem_exec_t)
 role unconfined_r types unconfined_execmem_t;
 typealias execmem_exec_t alias unconfined_execmem_exec_t;
+userdom_unpriv_usertype(unconfined, unconfined_execmem_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_execmem_t)
 
 type unconfined_notrans_t;
 type unconfined_notrans_exec_t;
@@ -253,6 +255,10 @@
 ')
 
 optional_policy(`
+	ppp_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
 	qemu_role_notrans(unconfined_r, unconfined_t)
 	qemu_unconfined_role(unconfined_r)
 
@@ -277,7 +283,7 @@
 ')
 
 optional_policy(`
-	sandbox_run(unconfined_t, unconfined_r)
+	sandbox_transition(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.12/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/roles/unprivuser.te	2009-06-25 10:21:01.000000000 +0200
@@ -22,5 +22,9 @@
 ')
 
 optional_policy(`
+	sandbox_transition(user_t, user_r)
+')
+
+optional_policy(`
 	setroubleshoot_dontaudit_stream_connect(user_t)
 ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/apache.fc	2009-06-25 10:21:01.000000000 +0200
@@ -98,4 +98,6 @@
 
 /var/lib/rt3/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 
-/var/www/svn(/.*)?		gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/var/www/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
+/var/www/svn/hooks(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.12/policy/modules/services/automount.if
--- nsaserefpolicy/policy/modules/services/automount.if	2009-04-07 21:54:47.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/automount.if	2009-06-25 10:21:01.000000000 +0200
@@ -21,6 +21,25 @@
 
 ########################################
 ## <summary>
+##	Send automount a signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`automount_signal',`
+	gen_require(`
+		type automount_t;
+	')
+
+	allow $1 automount_t:process signal;
+')
+
+########################################
+## <summary>
 ##	Execute automount in the caller domain.
 ## </summary>
 ## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.12/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/avahi.te	2009-06-29 13:28:59.000000000 +0200
@@ -24,7 +24,7 @@
 # Local policy
 #
 
-allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
+allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin setuid sys_chroot };
 dontaudit avahi_t self:capability sys_tty_config;
 allow avahi_t self:process { setrlimit signal_perms getcap setcap };
 allow avahi_t self:fifo_file rw_fifo_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.12/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/bluetooth.te	2009-06-25 10:21:01.000000000 +0200
@@ -64,6 +64,7 @@
 allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow bluetooth_t self:tcp_socket create_stream_socket_perms;
 allow bluetooth_t self:udp_socket create_socket_perms;
+allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
 
 read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te	2009-06-25 10:21:01.000000000 +0200
@@ -14,7 +14,7 @@
 files_pid_file(consolekit_var_run_t)
 
 type consolekit_log_t;
-files_pid_file(consolekit_log_t)
+logging_log_file(consolekit_log_t)
 
 ########################################
 #
@@ -50,6 +50,7 @@
 files_read_usr_files(consolekit_t)
 # needs to read /var/lib/dbus/machine-id
 files_read_var_lib_files(consolekit_t)
+files_search_all_mountpoints(consolekit_t)
 
 fs_list_inotifyfs(consolekit_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/cron.if	2009-06-25 10:21:01.000000000 +0200
@@ -163,27 +163,14 @@
 #
 interface(`cron_unconfined_role',`
 	gen_require(`
-		type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t;
+		type unconfined_cronjob_t;
 	')
 
-	role $1 types { unconfined_cronjob_t admin_crontab_t };
+	role $1 types unconfined_cronjob_t;
 
 	# cronjob shows up in user ps
 	ps_process_pattern($2, unconfined_cronjob_t)
 
-	# Transition from the user domain to the derived domain.
-	domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
-
-	# crontab shows up in user ps
-	ps_process_pattern($2, admin_crontab_t)
-	allow $2 admin_crontab_t:process signal;
-
-	# Run helper programs as the user domain
-	#corecmd_bin_domtrans(admin_crontab_t, $2)
-	#corecmd_shell_domtrans(admin_crontab_t, $2)
-	corecmd_exec_bin(admin_crontab_t)
-	corecmd_exec_shell(admin_crontab_t)
-
 	optional_policy(`
 		gen_require(`
 			class dbus send_msg;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.12/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/cups.fc	2009-06-25 10:21:01.000000000 +0200
@@ -36,6 +36,8 @@
 # keep as separate lines to ensure proper sorting
 /usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
 /usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib/cups/filter/hp.* --	gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib64/cups/filter/hp.* --	gen_context(system_u:object_r:hplip_exec_t,s0)
 
 /usr/sbin/printconf-backend --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 /usr/sbin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.12/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/dcc.te	2009-06-25 10:21:01.000000000 +0200
@@ -130,11 +130,13 @@
 
 # Access files in /var/dcc. The map file can be updated
 allow dcc_client_t dcc_var_t:dir list_dir_perms;
-read_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
 read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
 
 kernel_read_system_state(dcc_client_t)
 
+fs_getattr_all_fs(dcc_client_t)
+
 corenet_all_recvfrom_unlabeled(dcc_client_t)
 corenet_all_recvfrom_netlabel(dcc_client_t)
 corenet_udp_bind_generic_node(dcc_client_t)
@@ -154,6 +156,10 @@
 userdom_use_user_terminals(dcc_client_t)
 
 optional_policy(`
+	amavis_read_spool_files(dcc_client_t)
+')
+
+optional_policy(`
 	spamassassin_read_spamd_tmp_files(dcc_client_t)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.12/policy/modules/services/ddclient.if
--- nsaserefpolicy/policy/modules/services/ddclient.if	2009-04-07 21:54:45.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/ddclient.if	2009-06-25 10:21:01.000000000 +0200
@@ -21,6 +21,31 @@
 
 ########################################
 ## <summary>
+##	 Execute ddclient daemon on behalf of a user or staff type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	 Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the ppp domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ddclient_run',`
+	gen_require(`
+		type ddclient_t;
+	')
+
+	ddclient_domtrans($1)
+	role $2 types ddclient_t;
+')
+
+########################################
+## <summary>
 ##	All of the rules required to administrate 
 ##	an ddclient environment
 ## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te	2009-06-25 10:21:01.000000000 +0200
@@ -55,7 +55,7 @@
 #
 # DeviceKit-Power local policy
 #
-allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice };
+allow devicekit_power_t self:capability { dac_override sys_ptrace sys_tty_config sys_nice };
 allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
 
@@ -77,6 +77,7 @@
 kernel_rw_kernel_sysctl(devicekit_power_t)
 kernel_write_proc_files(devicekit_power_t)
 
+dev_read_input(devicekit_power_t)
 dev_rw_generic_usb_dev(devicekit_power_t)
 dev_rw_netcontrol(devicekit_power_t)
 dev_rw_sysfs(devicekit_power_t)
@@ -107,6 +108,7 @@
 ')
 
 optional_policy(`
+	polkit_dbus_chat(devicekit_power_t)
 	polkit_domtrans_auth(devicekit_power_t)
 	polkit_read_lib(devicekit_power_t)
 	polkit_read_reload(devicekit_power_t)
@@ -147,6 +149,7 @@
 
 allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
 allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
 
 manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
 manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
@@ -199,6 +202,7 @@
 ')
 
 optional_policy(`
+	polkit_dbus_chat(devicekit_disk_t)
 	polkit_domtrans_auth(devicekit_disk_t)
 	polkit_read_lib(devicekit_disk_t)
 	polkit_read_reload(devicekit_disk_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.12/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.te	2009-06-25 10:21:01.000000000 +0200
@@ -87,6 +87,10 @@
 ')
 
 optional_policy(`
+	dbus_system_bus_client(dnsmasq_t)
+')
+
+optional_policy(`
 	tftp_read_content(dnsmasq_t)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.12/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/fetchmail.te	2009-06-29 16:22:53.000000000 +0200
@@ -60,6 +60,8 @@
 corenet_tcp_connect_all_ports(fetchmail_t)
 corenet_sendrecv_all_client_packets(fetchmail_t)
 
+corecmd_exec_shell(fetchmail_t)
+
 dev_read_sysfs(fetchmail_t)
 dev_read_rand(fetchmail_t)
 dev_read_urand(fetchmail_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te	2009-06-25 10:21:01.000000000 +0200
@@ -22,12 +22,15 @@
 
 corecmd_search_bin(fprintd_t)
 
+dev_list_usbfs(fprintd_t)
 dev_rw_generic_usb_dev(fprintd_t)
 dev_read_sysfs(fprintd_t)
 
 files_read_etc_files(fprintd_t)
 files_read_usr_files(fprintd_t)
 
+kernel_read_system_state(fprintd_t)
+
 auth_use_nsswitch(fprintd_t)
 
 miscfiles_read_localization(fprintd_t)
@@ -40,9 +43,10 @@
 ')
 
 optional_policy(`
-	polkit_read_reload(fprintd_t)
-	polkit_read_lib(fprintd_t)
+	polkit_dbus_chat(fprintd_t)
 	polkit_domtrans_auth(fprintd_t)
+	polkit_read_lib(fprintd_t)
+	polkit_read_reload(fprintd_t)
 ')
 
 permissive fprintd_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.12/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/ftp.te	2009-06-29 16:23:40.000000000 +0200
@@ -91,6 +91,9 @@
 #
 
 allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
+ifdef(`hide_broken_symptoms', `
+allow ftpd_t self:capability { sys_admin };
+')
 dontaudit ftpd_t self:capability sys_tty_config;
 allow ftpd_t self:process signal_perms;
 allow ftpd_t self:process { getcap setcap setsched setrlimit };
@@ -129,8 +132,7 @@
 allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
 
 # Create and modify /var/log/xferlog.
-allow ftpd_t xferlog_t:dir search_dir_perms;
-allow ftpd_t xferlog_t:file manage_file_perms;
+manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
 logging_log_filetrans(ftpd_t, xferlog_t, file)
 
 kernel_read_kernel_sysctls(ftpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.12/policy/modules/services/gnomeclock.te
--- nsaserefpolicy/policy/modules/services/gnomeclock.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/gnomeclock.te	2009-06-25 10:21:01.000000000 +0200
@@ -44,6 +44,7 @@
 ')
 
 optional_policy(`
+	polkit_dbus_chat(gnomeclock_t)
 	polkit_domtrans_auth(gnomeclock_t)
 	polkit_read_lib(gnomeclock_t)
 	polkit_read_reload(gnomeclock_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.12/policy/modules/services/gpsd.fc
--- nsaserefpolicy/policy/modules/services/gpsd.fc	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/gpsd.fc	2009-06-25 10:25:21.000000000 +0200
@@ -1,3 +1,6 @@
+/etc/rc\.d/init\.d/gpsd          --      gen_context(system_u:object_r:gpsd_initrc_exec_t,s0)
 
 /usr/sbin/gpsd                 --      gen_context(system_u:object_r:gpsd_exec_t,s0)
 
+/var/run/gpsd\.pid               --      gen_context(system_u:object_r:gpsd_var_run_t,s0)
+/var/run/gpsd\.sock              -s      gen_context(system_u:object_r:gpsd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.12/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/gpsd.te	2009-06-25 10:24:43.000000000 +0200
@@ -8,11 +9,17 @@
 type gpsd_t;
 type gpsd_exec_t;
 application_domain(gpsd_t, gpsd_exec_t)
-role system_r types gpsd_t;
+init_daemon_domain(gpsd_t, gpsd_exec_t)
+
+type gpsd_initrc_exec_t;
+init_script_file(gpsd_initrc_exec_t)
 
 type gpsd_tmpfs_t;
 files_tmpfs_file(gpsd_tmpfs_t)
 
+type gpsd_var_run_t;
+files_pid_file(gpsd_var_run_t)
+
 ########################################
 #
 # gpsd local policy
@@ -28,6 +35,15 @@
 manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
 fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file })
 
+manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
+
+corenet_all_recvfrom_unlabeled(gpsd_t)
+corenet_all_recvfrom_netlabel(gpsd_t)
+corenet_tcp_sendrecv_generic_if(gpsd_t)
+corenet_tcp_sendrecv_generic_node(gpsd_t)
+corenet_tcp_sendrecv_all_ports(gpsd_t)
 corenet_tcp_bind_all_nodes(gpsd_t)
 corenet_tcp_bind_gpsd_port(gpsd_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/hal.te	2009-06-25 10:21:01.000000000 +0200
@@ -162,6 +162,7 @@
 fs_mount_dos_fs(hald_t)
 fs_unmount_dos_fs(hald_t)
 fs_manage_dos_files(hald_t)
+fs_manage_fusefs_dirs(hald_t)
 
 files_getattr_all_mountpoints(hald_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.12/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/kerberos.if	2009-06-25 10:21:01.000000000 +0200
@@ -70,6 +70,7 @@
 interface(`kerberos_use',`
 	gen_require(`
 		type krb5_conf_t, krb5kdc_conf_t;
+		type krb5_host_rcache_t;
 	')
 
 	files_search_etc($1)
@@ -101,6 +102,7 @@
 		corenet_tcp_connect_ocsp_port($1)
 		corenet_sendrecv_kerberos_client_packets($1)
 		corenet_sendrecv_ocsp_client_packets($1)
+		allow $1 krb5_host_rcache_t:file getattr;
 	')
 
 	optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.12/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/kerberos.te	2009-06-25 10:21:01.000000000 +0200
@@ -287,6 +287,11 @@
 
 manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
 manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
+filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file)
+
+manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
 
 corecmd_exec_bin(kpropd_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.12/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/lircd.te	2009-06-25 10:21:01.000000000 +0200
@@ -45,6 +45,9 @@
 dev_filetrans(lircd_t, lircd_sock_t, sock_file )
 dev_read_generic_usb_dev(lircd_t)
 
+dev_filetrans_lirc(lircd_t)
+dev_rw_lirc(lircd_t)
+
 logging_send_syslog_msg(lircd_t)
 
 files_read_etc_files(lircd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.12/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/mailman.if	2009-06-25 10:21:01.000000000 +0200
@@ -197,6 +197,7 @@
 		type mailman_data_t;
 	')
 
+	list_dirs_pattern($1, mailman_data_t, mailman_data_t)
 	read_files_pattern($1, mailman_data_t, mailman_data_t)
 	read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
 ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.12/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/mta.if	2009-06-25 10:21:01.000000000 +0200
@@ -473,6 +473,7 @@
 	')
 
 	write_files_pattern($1, etc_mail_t, etc_mail_t)
+	allow $1 etc_mail_t:file setattr;
 ')
 
 ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.12/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/mysql.te	2009-06-25 10:21:01.000000000 +0200
@@ -136,10 +136,12 @@
 allow mysqld_safe_t self:capability { dac_override fowner chown };
 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
  
+allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
+ 
 allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
 logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
 
-mysql_append_db_files(mysqld_safe_t)        
+mysql_manage_db_files(mysqld_safe_t)        
 mysql_read_config(mysqld_safe_t)
 mysql_search_pid_files(mysqld_safe_t)
 mysql_write_log(mysqld_safe_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.12/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/nis.te	2009-06-26 15:48:39.000000000 +0200
@@ -72,8 +72,7 @@
 manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
 
 kernel_read_kernel_sysctls(ypbind_t)
-kernel_list_proc(ypbind_t)
-kernel_read_proc_symlinks(ypbind_t)
+kernel_read_system_state(ypbind_t)
 
 corenet_all_recvfrom_unlabeled(ypbind_t)
 corenet_all_recvfrom_netlabel(ypbind_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.12/policy/modules/services/nslcd.fc
--- nsaserefpolicy/policy/modules/services/nslcd.fc	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/nslcd.fc	2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,4 @@
+/usr/sbin/nslcd	--	gen_context(system_u:object_r:nslcd_exec_t,s0)
+/etc/nss-ldapd.conf	--	gen_context(system_u:object_r:nslcd_conf_t,s0)
+/etc/rc\.d/init\.d/nslcd	--	gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+/var/run/nslcd(/.*)?			gen_context(system_u:object_r:nslcd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.12/policy/modules/services/nslcd.if
--- nsaserefpolicy/policy/modules/services/nslcd.if	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/nslcd.if	2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,145 @@
+
+## <summary>policy for nslcd</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run nslcd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nslcd_domtrans',`
+	gen_require(`
+		type nslcd_t;
+                type nslcd_exec_t;
+	')
+
+	domtrans_pattern($1,nslcd_exec_t,nslcd_t)
+')
+
+
+########################################
+## <summary>
+##	Execute nslcd server in the nslcd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`nslcd_initrc_domtrans',`
+	gen_require(`
+		type nslcd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1,nslcd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read nslcd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nslcd_read_pid_files',`
+	gen_require(`
+		type nslcd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 nslcd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage nslcd var_run files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nslcd_manage_var_run',`
+	gen_require(`
+		type nslcd_var_run_t;
+	')
+
+         manage_dirs_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
+         manage_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
+         manage_lnk_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an nslcd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the nslcd domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`nslcd_admin',`
+	gen_require(`
+		type nslcd_t;
+	')
+
+	allow $1 nslcd_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, nslcd_t, nslcd_t)
+	allow $1 nslcd_conf_t:file read_file_perms;
+
+	gen_require(`
+		type nslcd_initrc_exec_t;
+	')
+
+	# Allow nslcd_t to restart the apache service
+	nslcd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 nslcd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	nslcd_manage_var_run($1)
+')
+
+
+########################################
+## <summary>
+##	Connect to nslcd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nslcd_use',`
+	gen_require(`
+		type nslcd_t, var_run_t, nslcd_var_run_t;
+	')
+
+#	list_dirs_pattern($1, var_run_t, nslcd_var_run_t)
+	write_sock_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+	allow $1 nslcd_t:unix_stream_socket connectto;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.12/policy/modules/services/nslcd.te
--- nsaserefpolicy/policy/modules/services/nslcd.te	1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/nslcd.te	2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,50 @@
+policy_module(nslcd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type nslcd_t;
+type nslcd_exec_t;
+init_daemon_domain(nslcd_t, nslcd_exec_t)
+
+#permissive nslcd_t;
+
+type nslcd_initrc_exec_t;
+init_script_file(nslcd_initrc_exec_t)
+
+type nslcd_var_run_t;
+files_pid_file(nslcd_var_run_t)
+
+type nslcd_conf_t;
+files_type(nslcd_conf_t)
+allow nslcd_t nslcd_conf_t:file read_file_perms;
+
+########################################
+#
+# nslcd local policy
+#
+
+allow nslcd_t self:capability { setgid setuid dac_override };
+
+# Init script handling
+domain_use_interactive_fds(nslcd_t)
+
+# internal communication is often done using fifo and unix sockets.
+allow nslcd_t self:sock_file rw_file_perms;
+allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
+allow nslcd_t self:process signal;
+
+files_read_etc_files(nslcd_t)
+
+miscfiles_read_localization(nslcd_t)
+
+manage_dirs_pattern(nslcd_t, nslcd_var_run_t,  nslcd_var_run_t)
+manage_files_pattern(nslcd_t, nslcd_var_run_t,  nslcd_var_run_t)
+files_pid_filetrans(nslcd_t,nslcd_var_run_t, { file dir })
+allow nslcd_t nslcd_var_run_t:sock_file manage_sock_file_perms;
+
+auth_use_nsswitch(nslcd_t)
+
+logging_send_syslog_msg(nslcd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.12/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te	2009-04-07 21:54:45.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/pcscd.te	2009-06-25 10:21:01.000000000 +0200
@@ -28,6 +28,7 @@
 allow pcscd_t self:tcp_socket create_stream_socket_perms;
 
 manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
 manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
 manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
 files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
@@ -46,6 +47,8 @@
 files_read_etc_files(pcscd_t)
 files_read_etc_runtime_files(pcscd_t)
 
+kernel_read_system_state(pcscd_t)
+
 term_use_unallocated_ttys(pcscd_t)
 term_dontaudit_getattr_pty_dirs(pcscd_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.12/policy/modules/services/polkit.fc
--- nsaserefpolicy/policy/modules/services/polkit.fc	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/polkit.fc	2009-06-25 10:21:01.000000000 +0200
@@ -2,7 +2,7 @@
 /usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:polkit_auth_exec_t,s0)
 /usr/libexec/polkit-grant-helper.*	--	gen_context(system_u:object_r:polkit_grant_exec_t,s0)
 /usr/libexec/polkit-resolve-exe-helper.* --	gen_context(system_u:object_r:polkit_resolve_exec_t,s0)
-/usr/libexec/polkitd			--	gen_context(system_u:object_r:polkit_exec_t,s0)
+/usr/libexec/polkitd.*			--	gen_context(system_u:object_r:polkit_exec_t,s0)
 
 /var/lib/PolicyKit(/.*)?			gen_context(system_u:object_r:polkit_var_lib_t,s0)
 /var/run/PolicyKit(/.*)?			gen_context(system_u:object_r:polkit_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.12/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/polkit.if	2009-06-25 10:21:01.000000000 +0200
@@ -194,6 +194,7 @@
 
 	polkit_domtrans_auth($1)
 	role $2 types polkit_auth_t;
+	polkit_dbus_chat($1)
 ')
 
 #######################################
@@ -217,6 +218,7 @@
 	polkit_run_grant($2, $1)
 	polkit_read_lib($2)
 	polkit_read_reload($2)
+	polkit_dbus_chat($2)
 ')
 
 ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.12/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/postfix.if	2009-06-25 10:21:01.000000000 +0200
@@ -580,6 +580,25 @@
 
 ########################################
 ## <summary>
+##	Execute the master postqueue in the
+##	postfix_postqueue domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_domtrans_postqueue',`
+	gen_require(`
+		type postfix_postqueue_t, postfix_postqueue_exec_t;
+	')
+
+	domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
+')
+
+########################################
+## <summary>
 ##	Execute the master postdrop in the
 ##	postfix_postdrop domain.
 ## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.12/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/postgresql.te	2009-06-29 16:24:29.000000000 +0200
@@ -202,6 +202,7 @@
 corenet_tcp_bind_generic_node(postgresql_t)
 corenet_tcp_bind_postgresql_port(postgresql_t)
 corenet_tcp_connect_auth_port(postgresql_t)
+corenet_tcp_connect_postgresql_port(postgresql_t)
 corenet_sendrecv_postgresql_server_packets(postgresql_t)
 corenet_sendrecv_auth_client_packets(postgresql_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.12/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/ppp.if	2009-06-25 10:21:01.000000000 +0200
@@ -177,10 +177,16 @@
 interface(`ppp_run',`
 	gen_require(`
 		type pppd_t;
+		type pptp_t;
 	')
 
 	ppp_domtrans($1)
 	role $2 types pppd_t;
+	role $2 types pptp_t;
+
+	optional_policy(`
+		ddclient_run(pppd_t, $2)
+	')
 ')
 
 ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.12/policy/modules/services/privoxy.te
--- nsaserefpolicy/policy/modules/services/privoxy.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/privoxy.te	2009-06-25 10:21:01.000000000 +0200
@@ -48,8 +48,7 @@
 files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
 
 kernel_read_kernel_sysctls(privoxy_t)
-kernel_list_proc(privoxy_t)
-kernel_read_proc_symlinks(privoxy_t)
+kernel_read_system_state(privoxy_t)
 
 corenet_all_recvfrom_unlabeled(privoxy_t)
 corenet_all_recvfrom_netlabel(privoxy_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.12/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/pyzor.fc	2009-06-25 10:21:01.000000000 +0200
@@ -3,6 +3,8 @@
 
 HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
 HOME_DIR/\.spamd(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.pyzor(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.spamd(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
 
 /usr/bin/pyzor		--	gen_context(system_u:object_r:pyzor_exec_t,s0)
 /usr/bin/pyzord		--	gen_context(system_u:object_r:pyzord_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.12/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/pyzor.te	2009-06-25 10:21:01.000000000 +0200
@@ -97,6 +97,8 @@
 kernel_read_kernel_sysctls(pyzor_t)  
 kernel_read_system_state(pyzor_t)
 
+fs_getattr_xattr_fs(pyzor_t)
+
 corecmd_list_bin(pyzor_t)
 corecmd_getattr_bin_files(pyzor_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/rpc.te	2009-06-25 10:21:01.000000000 +0200
@@ -95,6 +95,10 @@
 userdom_signal_unpriv_users(rpcd_t)
 
 optional_policy(`
+	automount_signal(rpcd_t)
+')
+
+optional_policy(`
 	nis_read_ypserv_config(rpcd_t)
 ')
 
@@ -214,6 +218,10 @@
 ')
 
 optional_policy(`
+	automount_signal(gssd_t)
+')
+
+optional_policy(`
 	kerberos_keytab_template(gssd, gssd_t) 
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.12/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/rsync.te	2009-06-25 10:21:01.000000000 +0200
@@ -126,6 +126,8 @@
 
 tunable_policy(`rsync_export_all_ro',`
 	fs_read_noxattr_fs_files(rsync_t) 
+	fs_read_nfs_files(rsync_t)
+	fs_read_cifs_files(rsync_t)
 	auth_read_all_dirs_except_shadow(rsync_t)
 	auth_read_all_files_except_shadow(rsync_t)
 	auth_read_all_symlinks_except_shadow(rsync_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.12/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/sendmail.te	2009-06-25 10:21:01.000000000 +0200
@@ -148,6 +148,7 @@
 
 optional_policy(`
 	postfix_domtrans_postdrop(sendmail_t)
+	postfix_domtrans_postqueue(sendmail_t)
 	postfix_domtrans_master(sendmail_t)
 	postfix_read_config(sendmail_t)
 	postfix_search_spool(sendmail_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te	2009-06-25 10:21:01.000000000 +0200
@@ -121,6 +121,10 @@
 userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
 
 optional_policy(`
+	locate_read_lib_files(setroubleshootd_t)
+')
+
+optional_policy(`
 	dbus_system_bus_client(setroubleshootd_t)
 	dbus_connect_system_bus(setroubleshootd_t)
 	dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.12/policy/modules/services/shorewall.fc
--- nsaserefpolicy/policy/modules/services/shorewall.fc	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/shorewall.fc	1970-01-01 01:00:00.000000000 +0100
@@ -1,12 +0,0 @@
-
-/etc/rc\.d/init\.d/shorewall        	--      gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/shorewall-lite       --      gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
-
-/etc/shorewall(/.*)?            		gen_context(system_u:object_r:shorewall_etc_t,s0)
-/etc/shorewall-lite(/.*)?               	gen_context(system_u:object_r:shorewall_etc_t,s0)
-
-/sbin/shorewall				--	gen_context(system_u:object_r:shorewall_exec_t,s0)
-/sbin/shorewall-lite			--      gen_context(system_u:object_r:shorewall_exec_t,s0)
-
-/var/lib/shorewall(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
-/var/lib/shorewall-lite(/.*)?           	gen_context(system_u:object_r:shorewall_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.12/policy/modules/services/shorewall.if
--- nsaserefpolicy/policy/modules/services/shorewall.if	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/shorewall.if	1970-01-01 01:00:00.000000000 +0100
@@ -1,166 +0,0 @@
-## <summary>policy for shorewall</summary>
-
-########################################
-## <summary>
-##	Execute a domain transition to run shorewall.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`shorewall_domtrans',`
-	gen_require(`
-		type shorewall_t; 
-		type shorewall_exec_t;
-	')
-
-	domtrans_pattern($1, shorewall_exec_t, shorewall_t)
-')
-
-#######################################
-## <summary>
-##      Read shorewall etc configuration files.
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`shorewall_read_etc',`
-        gen_require(`
-                type shorewall_etc_t;
-        ')
-
-        files_search_etc($1)
-        read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
-')
-
-#######################################
-## <summary>
-##      Read shorewall PID files.
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`shorewall_read_pid_files',`
-        gen_require(`
-                type shorewall_var_run_t;
-        ')
-
-        files_search_pids($1)
-        read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
-')
-
-#######################################
-## <summary>
-##      Read and write shorewall PID files.
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`shorewall_rw_pid_files',`
-        gen_require(`
-                type shorewall_var_run_t;
-        ')
-
-        files_search_pids($1)
-        rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
-')
-
-######################################
-## <summary>
-##      Read shorewall /var/lib files.
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`shorewall_read_var_lib',`
-        gen_require(`
-                type shorewall_t;
-       ')
-
-        files_search_var_lib($1)
-        search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
-        read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
-')
-
-#######################################
-## <summary>
-##      Read and write shorewall /var/lib files.
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`shorewall_rw_var_lib',`
-        gen_require(`
-                type shorewall_t;
-       ')
-
-        files_search_var_lib($1)
-        search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
-        rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
-')
-
-#######################################
-## <summary>
-##      All of the rules required to administrate 
-##      an shorewall environment
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-## <param name="role">
-##      <summary>
-##      The role to be allowed to manage the syslog domain.
-##      </summary>
-## </param>
-## <rolecap/>
-#
-interface(`shorewall_admin',`
-        gen_require(`
-                type shorewall_t, shorewall_var_run_t, shorewall_lock_t;
-                type shorewall_initrc_exec_t, shorewall_var_lib_t;
-                type shorewall_tmp_t;
-        ')
-
-        allow $1 shorewall_t:process { ptrace signal_perms };
-        ps_process_pattern($1, shorewall_t)
-
-        init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
-        domain_system_change_exemption($1)
-        role_transition $2 shorewall_initrc_exec_t system_r;
-        allow $2 system_r;
-
-        files_search_etc($1)
-        admin_pattern($1, shorewall_etc_t)
-
-	files_search_locks($1)
-	admin_pattern($1, shorewall_lock_t)
-
-        files_search_pids($1)
-        admin_pattern($1, shorewall_var_run_t)
-
-        files_search_var_lib($1)
-        admin_pattern($1, shorewall_var_lib_t)
-
-        files_search_tmp($1)
-        admin_pattern($1, shorewall_tmp_t)
-')
-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.12/policy/modules/services/shorewall.te
--- nsaserefpolicy/policy/modules/services/shorewall.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/shorewall.te	1970-01-01 01:00:00.000000000 +0100
@@ -1,102 +0,0 @@
-policy_module(shorewall,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type shorewall_t;
-type shorewall_exec_t;
-init_daemon_domain(shorewall_t, shorewall_exec_t)
-
-type shorewall_initrc_exec_t;
-init_script_file(shorewall_initrc_exec_t)
-
-# etc files
-type shorewall_etc_t;
-files_config_file(shorewall_etc_t)
-
-# lock files
-type shorewall_lock_t;
-files_lock_file(shorewall_lock_t)
-
-# tmp files
-type shorewall_tmp_t;
-files_tmp_file(shorewall_tmp_t)
-
-# var/lib files
-type shorewall_var_lib_t;
-files_type(shorewall_var_lib_t)
-
-########################################
-#
-# shorewall local policy
-#
-
-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace};
-dontaudit shorewall_t self:capability sys_tty_config;
-
-allow shorewall_t self:fifo_file rw_fifo_file_perms;
-
-# etc file
-read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
-list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
-
-# lock files
-manage_files_pattern(shorewall_t,shorewall_lock_t,shorewall_lock_t)
-files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
-
-# var/lib files for shorewall
-exec_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
-manage_dirs_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
-manage_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
-files_var_lib_filetrans(shorewall_t,shorewall_var_lib_t, { dir file })
-
-# tmp files for shorewall
-manage_dirs_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
-manage_files_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
-files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir })
-
-kernel_read_kernel_sysctls(shorewall_t)
-kernel_read_system_state(shorewall_t)
-kernel_read_network_state(shorewall_t)
-kernel_rw_net_sysctls(shorewall_t)
-
-corecmd_exec_bin(shorewall_t)
-corecmd_exec_shell(shorewall_t)
-
-dev_read_urand(shorewall_t)
-
-fs_getattr_all_fs(shorewall_t)
-
-domain_read_all_domains_state(shorewall_t)
-
-files_getattr_kernel_modules(shorewall_t)
-files_read_etc_files(shorewall_t)
-files_read_usr_files(shorewall_t)
-files_search_kernel_modules(shorewall_t)
-
-init_rw_utmp(shorewall_t)
-
-libs_use_ld_so(shorewall_t)
-libs_use_shared_libs(shorewall_t)
-
-logging_send_syslog_msg(shorewall_t)
-
-miscfiles_read_localization(shorewall_t)
-
-userdom_dontaudit_list_admin_dir(shorewall_t)
-
-sysnet_domtrans_ifconfig(shorewall_t)
-iptables_domtrans(shorewall_t)
-
-optional_policy(`
-        modutils_domtrans_insmod(shorewall_t)
-')
-
-optional_policy(`
-	ulogd_search_log(shorewall_t)
-')
-
-permissive shorewall_t;
-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc	2009-06-25 10:21:01.000000000 +0200
@@ -1,3 +1,4 @@
+/root/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
 HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
 
 /etc/rc\.d/init\.d/spamd	--	gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.12/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/uucp.te	2009-06-25 10:21:01.000000000 +0200
@@ -95,6 +95,8 @@
 files_search_home(uucpd_t)
 files_search_spool(uucpd_t)
 
+term_setattr_controlling_term(uucpd_t)
+
 auth_use_nsswitch(uucpd_t)
 
 logging_send_syslog_msg(uucpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/virt.te	2009-06-25 10:21:01.000000000 +0200
@@ -22,6 +22,13 @@
 
 ## <desc>
 ## <p>
+## Allow svirt to use usb devices
+## </p>
+## </desc>
+gen_tunable(virt_use_usb, true)
+
+## <desc>
+## <p>
 ## Allow svirt to manage device configuration, (pci)
 ## </p>
 ## </desc>
@@ -95,6 +102,7 @@
 
 manage_files_pattern(virtd_t, virt_image_t, virt_image_t)
 manage_blk_files_pattern(virtd_t, virt_image_t, virt_image_t)
+read_lnk_files_pattern(virtd_t, virt_image_t, virt_image_t)
 allow virtd_t virt_image_t:file { relabelfrom relabelto };
 allow virtd_t virt_image_t:blk_file { relabelfrom relabelto };
 
@@ -183,6 +191,7 @@
 seutil_read_default_contexts(virtd_t)
 
 term_getattr_pty_fs(virtd_t)
+term_use_generic_ptys(virtd_t)
 term_use_ptmx(virtd_t)
 
 auth_use_nsswitch(virtd_t)
@@ -214,6 +223,12 @@
 	fs_read_cifs_symlinks(virtd_t)
 ')
 
+tunable_policy(`virt_use_usb',`
+	dev_rw_usbfs(svirt_t)
+	fs_manage_dos_dirs(svirt_t)
+	fs_manage_dos_files(svirt_t)
+')
+
 optional_policy(`
 	brctl_domtrans(virtd_t)
 ')
@@ -307,6 +322,7 @@
 manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
 files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file })
 
+read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
 allow svirt_t svirt_image_t:dir search_dir_perms;
 manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
 manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
@@ -316,16 +332,17 @@
 dontaudit svirt_t virt_content_t:file write_file_perms;
 dontaudit svirt_t virt_content_t:dir write;
 
-storage_raw_write_removable_device(svirt_t)
-storage_raw_read_removable_device(svirt_t)
-
 userdom_search_user_home_content(svirt_t)
 userdom_read_all_users_state(svirt_t)
 
 append_files_pattern(svirt_t, virt_log_t, virt_log_t)
+append_files_pattern(svirt_t, virt_var_lib_t, virt_var_lib_t)
 
 allow svirt_t self:udp_socket create_socket_perms;
 
+corecmd_exec_bin(svirt_t)
+corecmd_exec_shell(svirt_t)
+
 corenet_udp_sendrecv_generic_if(svirt_t)
 corenet_udp_sendrecv_generic_node(svirt_t)
 corenet_udp_sendrecv_all_ports(svirt_t)
@@ -353,10 +370,6 @@
 ')
 
 optional_policy(`
-	samba_domtrans_smb(svirt_t)
-')
-
-optional_policy(`
 	xen_rw_image_files(svirt_t)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.12/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/xserver.fc	2009-06-25 10:21:01.000000000 +0200
@@ -62,6 +62,7 @@
 /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/Xephyr		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/bin/xauth		--	gen_context(system_u:object_r:xauth_exec_t,s0)
 /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 ifdef(`distro_debian', `
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.12/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/xserver.if	2009-06-25 10:21:01.000000000 +0200
@@ -861,6 +861,24 @@
 
 ########################################
 ## <summary>
+##	Make an X executable an entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain for which the shell is an entrypoint.
+##	</summary>
+## </param>
+#
+interface(`xserver_entry_type',`
+	gen_require(`
+		type xserver_exec_t;
+	')
+
+	domain_entry_file($1, xserver_exec_t)
+')
+
+########################################
+## <summary>
 ##	Execute an X session in the target domain.  This
 ##	is an explicit transition, requiring the
 ##	caller to use setexeccon().
@@ -1411,6 +1429,7 @@
 	xserver_read_xdm_tmp_files($1)
 	xserver_xdm_stream_connect($1)
 	xserver_setattr_xdm_tmp_dirs($1)
+	xserver_read_xdm_pid($1)
 
 	allow $1 xdm_t:x_client { getattr destroy };
 	allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-06-25 10:21:01.000000000 +0200
@@ -370,8 +370,9 @@
 manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
 manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
 manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+
 fs_getattr_all_fs(xdm_t)
-fs_search_inotifyfs(xdm_t)
+fs_list_inotifyfs(xdm_t)
 fs_read_noxattr_fs_files(xdm_t)
 
 manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
@@ -530,6 +531,7 @@
 miscfiles_read_localization(xdm_t)
 miscfiles_read_fonts(xdm_t)
 miscfiles_manage_localization(xdm_t)
+miscfiles_read_hwdata(xdm_t)
 
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
@@ -538,6 +540,7 @@
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
+userdom_manage_user_tmp_dirs(xdm_t)
 userdom_manage_user_tmp_sockets(xdm_t)
 userdom_manage_tmpfs_role(system_r, xdm_t)
 
@@ -839,7 +842,6 @@
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
-fs_list_inotifyfs(xdm_t)
 fs_rw_tmpfs_files(xserver_t)
 
 mls_xwin_read_to_clearance(xserver_t)
@@ -931,6 +933,10 @@
 ')
 
 optional_policy(`
+	sandbox_rw_xserver_tmpfs_files(xserver_t)
+')
+
+optional_policy(`
 	unconfined_domain(xserver_t)
 	unconfined_domtrans(xserver_t)
 ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.12/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/authlogin.fc	2009-06-25 10:21:01.000000000 +0200
@@ -24,6 +24,8 @@
 /usr/sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
 ')
 
+/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
+
 /var/db/shadow.*	--	gen_context(system_u:object_r:shadow_t,s0)
 
 /var/lib/abl(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
@@ -44,4 +46,3 @@
 /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 
-/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if	2009-06-25 10:21:01.000000000 +0200
@@ -42,8 +42,7 @@
 #
 interface(`auth_login_pgm_domain',`
 	gen_require(`
-		type var_auth_t;
-		type auth_cache_t;
+		type var_auth_t, auth_cache_t;
 	')
 
 	domain_type($1)
@@ -77,6 +76,8 @@
 
 	# for SSP/ProPolice
 	dev_read_urand($1)
+	# for encrypted homedir
+	dev_read_sysfs($1)
 	# for fingerprint readers
 	dev_rw_input_dev($1)
 	dev_rw_generic_usb_dev($1)
@@ -143,6 +144,11 @@
 	')
 
 	optional_policy(`
+		kerberos_manage_host_rcache($1)
+		kerberos_read_config($1)
+	')
+
+	optional_policy(`
 		fprintd_dbus_chat($1)
 	')
 
@@ -238,6 +244,96 @@
 
 ########################################
 ## <summary>
+##	Search authentication cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_search_cache',`
+	gen_require(`
+		type auth_cache_t;
+	')
+
+	allow $1  auth_cache_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read authentication cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_read_cache',`
+	gen_require(`
+		type auth_cache_t;
+	')
+
+	read_files_pattern($1, auth_cache_t,  auth_cache_t)
+')
+
+########################################
+## <summary>
+##	Read/Write authentication cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_rw_cache',`
+	gen_require(`
+		type auth_cache_t;
+	')
+
+	rw_files_pattern($1, auth_cache_t,  auth_cache_t)
+')
+
+########################################
+## <summary>
+##	Manage authentication cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_manage_cache',`
+	gen_require(`
+		type auth_cache_t;
+	')
+
+	manage_files_pattern($1, auth_cache_t,  auth_cache_t)
+')
+
+#######################################
+## <summary>
+##	Automatic transition from cache_t to cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_var_filetrans_cache',`
+	gen_require(`
+		type auth_cache_t;
+	')
+
+	files_var_filetrans($1,auth_cache_t,{ file dir } )
+')
+
+########################################
+## <summary>
 ##	Run unix_chkpwd to check a password.
 ## </summary>
 ## <param name="domain">
@@ -726,7 +822,7 @@
 
 ########################################
 ## <summary>
-##	Send signal to pam process
+##	Send generic signals to pam processes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1258,6 +1354,25 @@
 
 ########################################
 ## <summary>
+##	dontaudit read login records files (/var/log/wtmp).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_dontaudit_read_login_records',`
+	gen_require(`
+		type wtmp_t;
+	')
+
+	dontaudit $1 wtmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to write to
 ##	login records files.
 ## </summary>
@@ -1415,6 +1530,10 @@
 	')
 
 	optional_policy(`
+		nslcd_use($1)
+	')
+
+	optional_policy(`
 		sssd_stream_connect($1)
 	')
 
@@ -1456,99 +1575,3 @@
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
-
-########################################
-## <summary>
-##	Search authentication cache
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`auth_search_cache',`
-	gen_require(`
-		type auth_cache_t;
-	')
-
-	allow $1  auth_cache_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	Read authentication cache
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`auth_read_cache',`
-	gen_require(`
-		type auth_cache_t;
-	')
-
-	read_files_pattern($1, auth_cache_t,  auth_cache_t)
-')
-
-########################################
-## <summary>
-##	Read/Write authentication cache
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`auth_rw_cache',`
-	gen_require(`
-		type auth_cache_t;
-	')
-
-	rw_files_pattern($1, auth_cache_t,  auth_cache_t)
-')
-########################################
-## <summary>
-##	Manage authentication cache
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`auth_manage_cache',`
-	gen_require(`
-		type auth_cache_t;
-	')
-
-	manage_files_pattern($1, auth_cache_t,  auth_cache_t)
-')
-
-#######################################
-## <summary>
-##	Automatic transition from cache_t to cache.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`auth_filetrans_cache',`
-	gen_require(`
-		type auth_cache_t;
-	')
-
-	manage_files_pattern($1, auth_cache_t,  auth_cache_t)
-	manage_dirs_pattern($1, auth_cache_t,  auth_cache_t)
-	files_var_filetrans($1,auth_cache_t,{ file dir } )
-')
-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.12/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/authlogin.te	2009-06-25 10:21:01.000000000 +0200
@@ -1,5 +1,5 @@
 
-policy_module(authlogin, 2.0.0)
+policy_module(authlogin, 2.0.2)
 
 ########################################
 #
@@ -10,9 +10,12 @@
 attribute can_write_shadow_passwords;
 attribute can_relabelto_shadow_passwords;
 
+type auth_cache_t;
+logging_log_file(auth_cache_t)
+
 type chkpwd_t, can_read_shadow_passwords;
 type chkpwd_exec_t;
-typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t system_chkpwd_t };
+typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
 typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t };
 application_domain(chkpwd_t, chkpwd_exec_t)
 role system_r types chkpwd_t;
@@ -57,15 +60,13 @@
 type updpwd_exec_t;
 domain_type(updpwd_t)
 domain_entry_file(updpwd_t,updpwd_exec_t)
+domain_obj_id_change_exemption(updpwd_t)
 role system_r types updpwd_t;
 
 type utempter_t;
 type utempter_exec_t;
 application_domain(utempter_t,utempter_exec_t)
 
-type auth_cache_t;
-logging_log_file(auth_cache_t)
-
 #
 # var_auth_t is the type of /var/lib/auth, usually
 # used for auth data in pam_able
@@ -180,11 +181,6 @@
 
 logging_send_syslog_msg(pam_t)
 
-userdom_write_user_tmp_files(pam_t)
-userdom_delete_user_tmp_files(pam_t)
-userdom_dontaudit_read_user_home_content_files(pam_t)
-userdom_dontaudit_write_user_home_content_files(pam_t)
-
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(pam_t)
@@ -200,7 +196,7 @@
 # PAM console local policy
 #
 
-allow pam_console_t self:capability { dac_override dac_read_search chown fowner fsetid };
+allow pam_console_t self:capability { chown fowner fsetid };
 dontaudit pam_console_t self:capability sys_tty_config;
 
 allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
@@ -218,8 +214,6 @@
 dev_read_sysfs(pam_console_t)
 dev_getattr_apm_bios_dev(pam_console_t)
 dev_setattr_apm_bios_dev(pam_console_t)
-dev_getattr_cpu_dev(pam_console_t)
-dev_setattr_cpu_dev(pam_console_t)
 dev_getattr_dri_dev(pam_console_t)
 dev_setattr_dri_dev(pam_console_t)
 dev_getattr_input_dev(pam_console_t)
@@ -244,10 +238,6 @@
 dev_setattr_video_dev(pam_console_t)
 dev_getattr_xserver_misc_dev(pam_console_t)
 dev_setattr_xserver_misc_dev(pam_console_t)
-
-dev_getattr_all_chr_files(pam_console_t)
-dev_setattr_all_chr_files(pam_console_t)
-
 dev_read_urand(pam_console_t)
 
 mls_file_read_all_levels(pam_console_t)
@@ -329,6 +319,7 @@
 # updpwd local policy
 #
 
+allow updpwd_t self:capability { chown dac_override };
 allow updpwd_t self:process setfscreate;
 allow updpwd_t self:fifo_file rw_fifo_file_perms;
 allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
@@ -336,6 +327,8 @@
 
 kernel_read_system_state(updpwd_t)
 
+dev_read_urand(updpwd_t)
+
 files_manage_etc_files(updpwd_t)
 
 term_dontaudit_use_console(updpwd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.12/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/init.fc	2009-06-25 10:21:01.000000000 +0200
@@ -6,6 +6,8 @@
 /etc/rc\.d/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /etc/rc\.d/rc\.[^/]+	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
+/etc/sysconfig/network-scripts/ifup-ipsec  	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+
 /etc/rc\.d/init\.d/.*	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
 /etc/X11/prefdm		--	gen_context(system_u:object_r:initrc_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/init.te	2009-06-25 10:21:01.000000000 +0200
@@ -285,6 +285,7 @@
 kernel_dontaudit_getattr_message_if(initrc_t)
 kernel_stream_connect(initrc_t)
 files_read_kernel_modules(initrc_t)
+files_read_config_files(initrc_t)
 
 files_read_kernel_symbol_table(initrc_t)
 files_exec_etc_files(initrc_t)
@@ -750,6 +751,7 @@
 
 	mysql_stream_connect(initrc_t)
 	mysql_write_log(initrc_t)
+	mysql_read_config(initrc_t)
 ')
 
 optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te	2009-06-25 10:21:01.000000000 +0200
@@ -1,5 +1,5 @@
 
-policy_module(ipsec, 1.9.0)
+policy_module(ipsec, 1.9.1)
 
 ########################################
 #
@@ -53,7 +53,7 @@
 # ipsec Local policy
 #
 
-allow ipsec_t self:capability { net_admin dac_override dac_read_search };
+allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
 dontaudit ipsec_t self:capability sys_tty_config;
 allow ipsec_t self:process { getsched signal setsched };
 allow ipsec_t self:tcp_socket create_stream_socket_perms;
@@ -67,7 +67,7 @@
 read_lnk_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
 
 allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
-rw_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
+manage_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
 read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
 
 manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -103,13 +103,11 @@
 corenet_raw_sendrecv_all_nodes(ipsec_t)
 corenet_tcp_sendrecv_all_ports(ipsec_t)
 corenet_tcp_bind_all_nodes(ipsec_t)
+corenet_udp_bind_all_nodes(ipsec_t)
 corenet_tcp_bind_reserved_port(ipsec_t)
 corenet_tcp_bind_isakmp_port(ipsec_t)
-
-corenet_udp_bind_all_nodes(ipsec_t)
 corenet_udp_bind_isakmp_port(ipsec_t)
 corenet_udp_bind_ipsecnat_port(ipsec_t)
-
 corenet_sendrecv_generic_server_packets(ipsec_t)
 corenet_sendrecv_isakmp_server_packets(ipsec_t)
 
@@ -130,7 +128,7 @@
 
 files_read_etc_files(ipsec_t)
 files_read_usr_files(ipsec_t)
-files_search_tmp(ipsec_t)
+files_list_tmp(ipsec_t)
 
 init_use_fds(ipsec_t)
 init_use_script_ptys(ipsec_t)
@@ -158,12 +156,12 @@
 #
 
 allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
-allow ipsec_mgmt_t self:process { signal setrlimit };
+allow ipsec_mgmt_t self:process { signal setrlimit ptrace };
 allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 allow ipsec_mgmt_t self:key_socket create_socket_perms;
-allow ipsec_mgmt_t self:fifo_file rw_file_perms;
+allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
 
 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
 files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file)
@@ -171,8 +169,6 @@
 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
 files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
 
-logging_send_syslog_msg(ipsec_mgmt_t)
-
 manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
 manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
 
@@ -248,6 +244,8 @@
 init_exec_script_files(ipsec_mgmt_t)
 init_use_fds(ipsec_mgmt_t)
 
+logging_send_syslog_msg(ipsec_mgmt_t)
+
 miscfiles_read_localization(ipsec_mgmt_t)
 
 modutils_domtrans_insmod(ipsec_mgmt_t)
@@ -284,6 +282,7 @@
 allow racoon_t self:netlink_selinux_socket { bind create read };
 allow racoon_t self:udp_socket create_socket_perms;
 allow racoon_t self:key_socket create_socket_perms;
+allow racoon_t self:fifo_file rw_fifo_file_perms;
 
 # manage pid file
 manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
@@ -301,11 +300,21 @@
 kernel_read_system_state(racoon_t)
 kernel_read_network_state(racoon_t)
 
+can_exec(racoon_t, racoon_exec_t)
+
+corecmd_exec_shell(racoon_t)
+corecmd_exec_bin(racoon_t)
+
+sysnet_exec_ifconfig(racoon_t)
+
 corenet_all_recvfrom_unlabeled(racoon_t)
+corenet_tcp_sendrecv_all_if(racoon_t)
+corenet_udp_sendrecv_all_if(racoon_t)
+corenet_tcp_sendrecv_all_nodes(racoon_t)
+corenet_udp_sendrecv_all_nodes(racoon_t)
 corenet_tcp_bind_all_nodes(racoon_t)
 corenet_udp_bind_all_nodes(racoon_t)
 corenet_udp_bind_isakmp_port(racoon_t)
-corenet_udp_sendrecv_all_if(racoon_t)
 corenet_udp_bind_ipsecnat_port(racoon_t)
 
 dev_read_urand(racoon_t)
@@ -348,6 +357,7 @@
 files_read_etc_files(setkey_t)
 
 init_dontaudit_use_fds(setkey_t)
+init_read_script_tmp_files(setkey_t)
 
 # allow setkey to set the context for ipsec SAs and policy.
 ipsec_setcontext_default_spd(setkey_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.12/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/iscsi.te	2009-06-25 10:21:01.000000000 +0200
@@ -69,6 +69,7 @@
 dev_rw_sysfs(iscsid_t)
 
 domain_use_interactive_fds(iscsid_t)
+domain_read_all_domains_state(iscsid_t)
 
 files_read_etc_files(iscsid_t)
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/libraries.fc	2009-06-29 14:16:57.000000000 +0200
@@ -139,6 +139,7 @@
 /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libjackserver\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libjs\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -190,6 +191,7 @@
 /usr/lib/firefox-[^/]*/plugins/nppdf.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/libFLAC\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/mozilla/plugins/nppdf\.so 	-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/maxima/[^/]+/binary-gcl/maxima	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/maxima/[^/]+/binary-gcl/maxima	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/mozilla/plugins/libvlcplugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/nx/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -284,6 +286,7 @@
 /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # vmware 
+HOME_DIR/\.mozilla(/.*)?/plugins/np-vmware-vmrc-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/vmware/(.*/)?VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -366,9 +369,10 @@
 /usr/matlab.*\.so(\.[^/]*)*		gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/local/matlab.*\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local/matlab.*\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/Zend/lib/ZendExtensionManager\.so	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/lib/libcncpmslld328\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-
+/usr/lib(64)?/midori/.*\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.12/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/locallogin.te	2009-06-25 10:21:01.000000000 +0200
@@ -211,6 +211,7 @@
 # Sulogin local policy
 #
 
+allow sulogin_t self:capability dac_override;
 allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow sulogin_t self:fd use;
 allow sulogin_t self:fifo_file rw_file_perms;
@@ -258,7 +259,10 @@
 # suse and debian do not use pam with sulogin...
 ifdef(`distro_suse', `define(`sulogin_no_pam')')
 ifdef(`distro_debian', `define(`sulogin_no_pam')')
-ifdef(`distro_redhat',`define(`sulogin_no_pam')')
+ifdef(`distro_redhat',`
+	define(`sulogin_no_pam')
+	selinux_compute_user_contexts(sulogin_t)
+')
 
 ifdef(`sulogin_no_pam', `
 	allow sulogin_t self:capability sys_tty_config;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.12/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te	2009-06-25 10:21:01.000000000 +0200
@@ -45,7 +45,7 @@
 # DHCP client local policy
 #
 allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_nice sys_resource sys_tty_config };
-dontaudit dhcpc_t self:capability sys_tty_config;
+dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };
 allow dhcpc_t self:process { setfscreate ptrace signal_perms };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/udev.te	2009-06-25 10:21:01.000000000 +0200
@@ -112,6 +112,7 @@
 
 fs_getattr_all_fs(udev_t)
 fs_list_inotifyfs(udev_t)
+fs_rw_anon_inodefs_files(udev_t)
 
 mcs_ptrace_all(udev_t)
 
@@ -196,6 +197,10 @@
 ')
 
 optional_policy(`
+	bluetooth_domtrans(udev_t)
+')
+
+optional_policy(`
 	brctl_domtrans(udev_t)
 ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-06-25 10:21:01.000000000 +0200
@@ -627,12 +627,6 @@
 		')
 
 		optional_policy(`
-			devicekit_dbus_chat($1_usertype)
-			devicekit_power_dbus_chat($1_usertype)
-			devicekit_disk_dbus_chat($1_usertype)
-		')
-
-		optional_policy(`
 			evolution_dbus_chat($1_usertype)
 			evolution_alarm_dbus_chat($1_usertype)
 	')
@@ -968,6 +962,16 @@
 	')
 
 		optional_policy(`
+		devicekit_dbus_chat($1_usertype)
+		devicekit_power_dbus_chat($1_usertype)
+		devicekit_disk_dbus_chat($1_usertype)
+	')
+
+	optional_policy(`
+		gnomeclock_dbus_chat($1_usertype)
+	')
+
+	optional_policy(`
 		gnome_manage_config($1_usertype)
 		gnome_manage_gconf_home_files($1_usertype)
 		gnome_read_gconf_config($1_usertype)
@@ -1880,7 +1884,7 @@
 		type user_home_t;
 	')
 
-	allow $1 user_home_t:dir delete_file_perms;
+	allow $1 user_home_t:file delete_file_perms;
 ')
 
 ########################################
@@ -3317,10 +3321,6 @@
   seutil_run_newrole($1_t, $1_r)
 
   optional_policy(`
-	gnomeclock_dbus_chat($1_t)
-  ')
-
-  optional_policy(`
 	kerneloops_dbus_chat($1_t)
   ')
 
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.12/policy/modules/system/virtual.te
--- nsaserefpolicy/policy/modules/system/virtual.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/virtual.te	2009-06-25 10:21:01.000000000 +0200
@@ -38,6 +38,7 @@
 dev_read_sound(virtualdomain)
 dev_write_sound(virtualdomain)
 dev_rw_kvm(virtualdomain)
+dev_rw_ksm(virtualdomain)
 dev_rw_qemu(virtualdomain)
 
 domain_use_interactive_fds(virtualdomain)
@@ -63,10 +64,6 @@
 miscfiles_read_localization(virtualdomain)
 
 optional_policy(`
-	dbus_system_bus_client(virtualdomain)
-')
-
-optional_policy(`
 	virt_read_config(virtualdomain)
 	virt_read_lib_files(virtualdomain)
 	virt_read_content(virtualdomain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.12/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te	2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/xen.te	2009-06-25 10:21:01.000000000 +0200
@@ -419,6 +419,7 @@
 kernel_read_xen_state(xm_ssh_t)
 kernel_write_xen_state(xm_ssh_t)
 
+userdom_search_admin_dir(xm_ssh_t)
 
 #Should have a boolean wrapping these
 fs_list_auto_mountpoints(xend_t)