From 4f0c0c3aae9997233f3b3df812aa8c3db903b6c3 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mar 04 2010 18:19:14 +0000 Subject: - Update to upstream - These are merges of my patches - Remove 389 labeling conflicts - Add MLS fixes found in RHEL6 testing - Allow pulseaudio to run as a service - Add label for mssql and allow apache to connect to this database port if boolean set - Dontaudit searches of debugfs mount point - Allow policykit_auth to send signals to itself - Allow modcluster to call getpwnam - Allow swat to signal winbind - Allow usbmux to run as a system role - Allow svirt to create and use devpts --- diff --git a/policy-F13.patch b/policy-F13.patch index 126a786..cb381ef 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -1,6 +1,6 @@ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.10/Makefile +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.11/Makefile --- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.7.10/Makefile 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/Makefile 2010-03-03 23:48:01.000000000 -0500 @@ -244,7 +244,7 @@ appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) @@ -10,9 +10,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.10/ net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.10/policy/global_tunables +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.11/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.10/policy/global_tunables 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/global_tunables 2010-03-03 23:48:01.000000000 -0500 @@ -61,15 +61,6 @@ ## @@ -48,9 +48,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref +## +gen_tunable(mmap_low_allowed, false) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.10/policy/modules/admin/acct.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.11/policy/modules/admin/acct.te --- nsaserefpolicy/policy/modules/admin/acct.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/acct.te 2010-02-24 11:55:06.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/acct.te 2010-03-03 23:48:01.000000000 -0500 @@ -43,6 +43,7 @@ fs_getattr_xattr_fs(acct_t) @@ -59,9 +59,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te corecmd_exec_bin(acct_t) corecmd_exec_shell(acct_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.7.10/policy/modules/admin/alsa.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.7.11/policy/modules/admin/alsa.if --- nsaserefpolicy/policy/modules/admin/alsa.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/alsa.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/alsa.if 2010-03-03 23:48:01.000000000 -0500 @@ -76,6 +76,26 @@ ######################################## @@ -89,9 +89,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if ## Read alsa lib files. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.10/policy/modules/admin/alsa.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.11/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/alsa.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/alsa.te 2010-03-03 23:48:01.000000000 -0500 @@ -51,6 +51,8 @@ files_read_etc_files(alsa_t) files_read_usr_files(alsa_t) @@ -101,9 +101,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te auth_use_nsswitch(alsa_t) init_use_fds(alsa_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.10/policy/modules/admin/anaconda.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.11/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/anaconda.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/anaconda.te 2010-03-03 23:48:01.000000000 -0500 @@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) @@ -121,9 +121,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.10/policy/modules/admin/brctl.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.11/policy/modules/admin/brctl.te --- nsaserefpolicy/policy/modules/admin/brctl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/brctl.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/brctl.te 2010-03-03 23:48:01.000000000 -0500 @@ -21,7 +21,7 @@ allow brctl_t self:unix_dgram_socket create_socket_perms; allow brctl_t self:tcp_socket create_socket_perms; @@ -133,9 +133,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.t kernel_read_network_state(brctl_t) kernel_read_sysctl(brctl_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.10/policy/modules/admin/certwatch.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.11/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/certwatch.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/certwatch.te 2010-03-03 23:48:01.000000000 -0500 @@ -36,7 +36,7 @@ miscfiles_read_localization(certwatch_t) @@ -145,9 +145,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat optional_policy(` apache_exec_modules(certwatch_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.7.10/policy/modules/admin/consoletype.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.7.11/policy/modules/admin/consoletype.if --- nsaserefpolicy/policy/modules/admin/consoletype.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/consoletype.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/consoletype.if 2010-03-03 23:48:01.000000000 -0500 @@ -19,6 +19,9 @@ corecmd_search_bin($1) @@ -158,9 +158,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.10/policy/modules/admin/consoletype.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.11/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/consoletype.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/consoletype.te 2010-03-03 23:48:01.000000000 -0500 @@ -10,7 +10,6 @@ type consoletype_exec_t; application_executable_file(consoletype_exec_t) @@ -169,9 +169,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console role system_r types consoletype_t; ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.10/policy/modules/admin/firstboot.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.11/policy/modules/admin/firstboot.te --- nsaserefpolicy/policy/modules/admin/firstboot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/firstboot.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/firstboot.te 2010-03-03 23:48:01.000000000 -0500 @@ -91,8 +91,12 @@ userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) @@ -194,9 +194,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.10/policy/modules/admin/kismet.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.11/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2009-11-25 15:15:48.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/kismet.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/kismet.te 2010-03-03 23:48:01.000000000 -0500 @@ -45,6 +45,7 @@ manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t) manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t) @@ -223,9 +223,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. corecmd_exec_bin(kismet_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.10/policy/modules/admin/logrotate.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.11/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/logrotate.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/logrotate.te 2010-03-03 23:48:01.000000000 -0500 @@ -32,7 +32,7 @@ # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; @@ -325,9 +325,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota +optional_policy(` varnishd_manage_log(logrotate_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.10/policy/modules/admin/logwatch.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.11/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/logwatch.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/logwatch.te 2010-03-03 23:48:01.000000000 -0500 @@ -93,6 +93,13 @@ sysnet_exec_ifconfig(logwatch_t) @@ -348,15 +348,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.7.10/policy/modules/admin/mcelog.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.7.11/policy/modules/admin/mcelog.fc --- nsaserefpolicy/policy/modules/admin/mcelog.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/mcelog.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/mcelog.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.7.10/policy/modules/admin/mcelog.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.7.11/policy/modules/admin/mcelog.if --- nsaserefpolicy/policy/modules/admin/mcelog.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/mcelog.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/mcelog.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,21 @@ + +## policy for mcelog @@ -379,9 +379,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog. + domtrans_pattern($1, mcelog_exec_t, mcelog_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.10/policy/modules/admin/mcelog.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.11/policy/modules/admin/mcelog.te --- nsaserefpolicy/policy/modules/admin/mcelog.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/mcelog.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/mcelog.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,32 @@ + +policy_module(mcelog,1.0.0) @@ -415,9 +415,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog. +miscfiles_read_localization(mcelog_t) + +logging_send_syslog_msg(mcelog_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.10/policy/modules/admin/mrtg.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.11/policy/modules/admin/mrtg.te --- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/mrtg.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/mrtg.te 2010-03-03 23:48:01.000000000 -0500 @@ -116,6 +116,7 @@ userdom_use_user_terminals(mrtg_t) userdom_dontaudit_read_user_home_content_files(mrtg_t) @@ -426,9 +426,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te netutils_domtrans_ping(mrtg_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.10/policy/modules/admin/netutils.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.11/policy/modules/admin/netutils.fc --- nsaserefpolicy/policy/modules/admin/netutils.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/netutils.fc 2010-02-24 10:17:21.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/netutils.fc 2010-03-03 23:48:01.000000000 -0500 @@ -9,6 +9,7 @@ /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) @@ -437,9 +437,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.10/policy/modules/admin/netutils.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.11/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/netutils.te 2010-02-26 15:38:35.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/netutils.te 2010-03-03 23:48:01.000000000 -0500 @@ -44,6 +44,7 @@ allow netutils_t self:packet_socket create_socket_perms; allow netutils_t self:udp_socket create_socket_perms; @@ -490,17 +490,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil + term_use_all_ttys(traceroute_t) + term_use_all_ptys(traceroute_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.10/policy/modules/admin/prelink.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.11/policy/modules/admin/prelink.fc --- nsaserefpolicy/policy/modules/admin/prelink.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/prelink.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/prelink.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,3 +1,4 @@ +/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) /etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.10/policy/modules/admin/prelink.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.11/policy/modules/admin/prelink.if --- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/prelink.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/prelink.if 2010-03-03 23:48:01.000000000 -0500 @@ -21,6 +21,25 @@ ######################################## @@ -541,9 +541,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink - relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) + relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.10/policy/modules/admin/prelink.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.11/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/prelink.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/prelink.te 2010-03-03 23:48:01.000000000 -0500 @@ -21,8 +21,21 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -667,9 +667,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink +optional_policy(` + rpm_read_db(prelink_cron_system_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.10/policy/modules/admin/quota.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.11/policy/modules/admin/quota.te --- nsaserefpolicy/policy/modules/admin/quota.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/quota.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/quota.te 2010-03-03 23:48:01.000000000 -0500 @@ -39,6 +39,7 @@ kernel_list_proc(quota_t) kernel_read_proc_symlinks(quota_t) @@ -678,9 +678,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.t dev_read_sysfs(quota_t) dev_getattr_all_blk_files(quota_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.10/policy/modules/admin/readahead.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.11/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/readahead.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/readahead.te 2010-03-03 23:48:01.000000000 -0500 @@ -52,6 +52,7 @@ files_list_non_security(readahead_t) @@ -698,9 +698,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) fs_dontaudit_search_ramfs(readahead_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.10/policy/modules/admin/rpm.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.11/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/rpm.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/rpm.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,18 +1,19 @@ /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -751,9 +751,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc # SuSE ifdef(`distro_suse', ` /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.10/policy/modules/admin/rpm.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.11/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/rpm.if 2010-03-01 09:23:04.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/rpm.if 2010-03-03 23:48:01.000000000 -0500 @@ -13,11 +13,36 @@ interface(`rpm_domtrans',` gen_require(` @@ -1207,9 +1207,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.10/policy/modules/admin/rpm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.11/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/rpm.te 2010-02-26 09:13:01.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/rpm.te 2010-03-03 23:48:01.000000000 -0500 @@ -1,6 +1,8 @@ policy_module(rpm, 1.10.0) @@ -1494,18 +1494,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te optional_policy(` java_domtrans_unconfined(rpm_script_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.10/policy/modules/admin/shorewall.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.11/policy/modules/admin/shorewall.fc --- nsaserefpolicy/policy/modules/admin/shorewall.fc 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/shorewall.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/shorewall.fc 2010-03-03 23:48:01.000000000 -0500 @@ -10,3 +10,5 @@ /var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) /var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) + +/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.10/policy/modules/admin/shorewall.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.11/policy/modules/admin/shorewall.te --- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/shorewall.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/shorewall.te 2010-03-03 23:48:01.000000000 -0500 @@ -29,6 +29,9 @@ type shorewall_var_lib_t; files_type(shorewall_var_lib_t) @@ -1536,22 +1536,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa optional_policy(` iptables_domtrans(shorewall_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.10/policy/modules/admin/smoltclient.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.11/policy/modules/admin/smoltclient.fc --- nsaserefpolicy/policy/modules/admin/smoltclient.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/smoltclient.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/smoltclient.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0) + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.10/policy/modules/admin/smoltclient.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.11/policy/modules/admin/smoltclient.if --- nsaserefpolicy/policy/modules/admin/smoltclient.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/smoltclient.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/smoltclient.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1 @@ +## The Fedora hardware profiler client -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.10/policy/modules/admin/smoltclient.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.11/policy/modules/admin/smoltclient.te --- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/smoltclient.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/smoltclient.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,66 @@ +policy_module(smoltclient,1.0.0) + @@ -1619,9 +1619,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltcl + rpm_exec(smoltclient_t) + rpm_read_db(smoltclient_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.10/policy/modules/admin/sudo.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.11/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/sudo.if 2010-02-26 14:44:57.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/sudo.if 2010-03-03 23:48:01.000000000 -0500 @@ -73,12 +73,16 @@ # Enter this derived domain from the user domain domtrans_pattern($3, sudo_exec_t, $1_sudo_t) @@ -1650,9 +1650,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_sudo_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.10/policy/modules/admin/su.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.11/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/su.if 2010-02-26 14:44:23.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/su.if 2010-03-03 23:48:01.000000000 -0500 @@ -58,6 +58,10 @@ allow $2 $1_su_t:fifo_file rw_file_perms; allow $2 $1_su_t:process sigchld; @@ -1675,9 +1675,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ps_process_pattern($3, $1_su_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.10/policy/modules/admin/tmpreaper.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.11/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/tmpreaper.te 2010-02-24 17:01:02.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/tmpreaper.te 2010-03-03 23:48:01.000000000 -0500 @@ -42,6 +42,7 @@ cron_system_entry(tmpreaper_t, tmpreaper_exec_t) @@ -1716,9 +1716,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap +optional_policy(` unconfined_domain(tmpreaper_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.10/policy/modules/admin/usermanage.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.11/policy/modules/admin/usermanage.if --- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/admin/usermanage.if 2010-02-26 14:43:39.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/usermanage.if 2010-03-03 23:48:01.000000000 -0500 @@ -18,6 +18,10 @@ files_search_usr($1) corecmd_search_bin($1) @@ -1774,9 +1774,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman optional_policy(` nscd_run(useradd_t, $2) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.10/policy/modules/admin/usermanage.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.11/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/usermanage.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/usermanage.te 2010-03-03 23:48:01.000000000 -0500 @@ -209,6 +209,7 @@ files_manage_etc_files(groupadd_t) files_relabel_etc_files(groupadd_t) @@ -1845,9 +1845,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman puppet_rw_tmp(useradd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.10/policy/modules/admin/vbetool.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.11/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/vbetool.te 2010-02-25 18:25:39.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/vbetool.te 2010-03-03 23:48:01.000000000 -0500 @@ -25,7 +25,13 @@ dev_rw_xserver_misc(vbetool_t) dev_rw_mtrr(vbetool_t) @@ -1862,9 +1862,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool term_use_unallocated_ttys(vbetool_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.10/policy/modules/admin/vpn.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.11/policy/modules/admin/vpn.te --- nsaserefpolicy/policy/modules/admin/vpn.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/admin/vpn.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/admin/vpn.te 2010-03-03 23:48:01.000000000 -0500 @@ -46,6 +46,7 @@ kernel_read_system_state(vpnc_t) kernel_read_network_state(vpnc_t) @@ -1881,9 +1881,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te optional_policy(` dbus_system_bus_client(vpnc_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.7.10/policy/modules/apps/cdrecord.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.7.11/policy/modules/apps/cdrecord.te --- nsaserefpolicy/policy/modules/apps/cdrecord.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/cdrecord.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/cdrecord.te 2010-03-03 23:48:01.000000000 -0500 @@ -32,6 +32,8 @@ allow cdrecord_t self:unix_dgram_socket create_socket_perms; allow cdrecord_t self:unix_stream_socket create_stream_socket_perms; @@ -1893,15 +1893,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord # allow searching for cdrom-drive dev_list_all_dev_nodes(cdrecord_t) dev_read_sysfs(cdrecord_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.10/policy/modules/apps/chrome.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.11/policy/modules/apps/chrome.fc --- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/chrome.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/chrome.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.10/policy/modules/apps/chrome.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.11/policy/modules/apps/chrome.if --- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/chrome.if 2010-02-26 14:30:20.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/chrome.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,90 @@ + +## policy for chrome @@ -1993,10 +1993,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i + allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.10/policy/modules/apps/chrome.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.11/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/chrome.te 2010-02-26 10:42:14.000000000 -0500 -@@ -0,0 +1,82 @@ ++++ serefpolicy-3.7.11/policy/modules/apps/chrome.te 2010-03-03 23:48:01.000000000 -0500 +@@ -0,0 +1,81 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -2020,7 +2020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t +# +# chrome_sandbox local policy +# -+allow chrome_sandbox_t self:capability { setuid sys_admin sys_ptrace dac_override sys_chroot chown fsetid setgid }; ++allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; +allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; +allow chrome_sandbox_t self:fifo_file manage_file_perms; +allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; @@ -2078,10 +2078,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t + fs_dontaudit_append_cifs_files(chrome_sandbox_t) + fs_dontaudit_read_cifs_files(chrome_sandbox_t) +') -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.10/policy/modules/apps/cpufreqselector.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.11/policy/modules/apps/cpufreqselector.te --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/cpufreqselector.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/cpufreqselector.te 2010-03-03 23:48:01.000000000 -0500 @@ -26,7 +26,7 @@ dev_rw_sysfs(cpufreqselector_t) @@ -2091,9 +2090,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs optional_policy(` dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.10/policy/modules/apps/execmem.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.11/policy/modules/apps/execmem.fc --- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/execmem.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/execmem.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,43 @@ +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -2138,9 +2137,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. + +/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) +/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.10/policy/modules/apps/execmem.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.11/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/execmem.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/execmem.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,108 @@ +## execmem domain + @@ -2250,9 +2249,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. + + domtrans_pattern($1, execmem_exec_t, $2) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.10/policy/modules/apps/execmem.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.11/policy/modules/apps/execmem.te --- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/execmem.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/execmem.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,11 @@ + +policy_module(execmem, 1.0.0) @@ -2265,16 +2264,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. +type execmem_exec_t alias unconfined_execmem_exec_t; +application_executable_file(execmem_exec_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.10/policy/modules/apps/firewallgui.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.11/policy/modules/apps/firewallgui.fc --- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/firewallgui.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/firewallgui.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,3 @@ + +/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.10/policy/modules/apps/firewallgui.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.11/policy/modules/apps/firewallgui.if --- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/firewallgui.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/firewallgui.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,23 @@ + +## policy for firewallgui @@ -2299,9 +2298,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall + allow $1 firewallgui_t:dbus send_msg; + allow firewallgui_t $1:dbus send_msg; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.10/policy/modules/apps/firewallgui.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.11/policy/modules/apps/firewallgui.te --- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/firewallgui.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/firewallgui.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,66 @@ + +policy_module(firewallgui,1.0.0) @@ -2369,9 +2368,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall + policykit_dbus_chat(firewallgui_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.10/policy/modules/apps/gitosis.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.11/policy/modules/apps/gitosis.if --- nsaserefpolicy/policy/modules/apps/gitosis.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/apps/gitosis.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/gitosis.if 2010-03-03 23:48:01.000000000 -0500 @@ -43,3 +43,47 @@ role $2 types gitosis_t; ') @@ -2420,9 +2419,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis. + manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.10/policy/modules/apps/gnome.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.11/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/apps/gnome.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/gnome.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,8 +1,28 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) @@ -2454,9 +2453,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc + +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.10/policy/modules/apps/gnome.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.11/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/apps/gnome.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/gnome.if 2010-03-03 23:48:01.000000000 -0500 @@ -74,6 +74,24 @@ ######################################## @@ -2693,9 +2692,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if + + allow $1 gnome_home_type:file rw_inherited_file_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.10/policy/modules/apps/gnome.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.11/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/apps/gnome.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/gnome.te 2010-03-03 23:48:01.000000000 -0500 @@ -7,18 +7,33 @@ # @@ -2844,18 +2843,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te + policykit_read_lib(gnomesystemmm_t) + policykit_read_reload(gnomesystemmm_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.10/policy/modules/apps/gpg.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.11/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/apps/gpg.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/gpg.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,4 +1,5 @@ HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) +/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.10/policy/modules/apps/gpg.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.11/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/apps/gpg.if 2010-03-01 11:52:26.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/gpg.if 2010-03-03 23:48:01.000000000 -0500 @@ -52,11 +52,8 @@ ifdef(`hide_broken_symptoms',` @@ -2869,9 +2868,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.10/policy/modules/apps/gpg.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.11/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/gpg.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/gpg.te 2010-03-03 23:48:01.000000000 -0500 @@ -20,6 +20,7 @@ typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; application_domain(gpg_t, gpg_exec_t) @@ -2912,9 +2911,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.10/policy/modules/apps/java.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.11/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/java.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/java.fc 2010-03-03 23:48:01.000000000 -0500 @@ -9,6 +9,7 @@ # # /usr @@ -2934,9 +2933,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc + +/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.10/policy/modules/apps/java.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.11/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/java.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/java.if 2010-03-03 23:48:01.000000000 -0500 @@ -72,6 +72,7 @@ domain_interactive_fd($1_java_t) @@ -2962,9 +2961,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.10/policy/modules/apps/java.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.11/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/java.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/java.te 2010-03-03 23:48:01.000000000 -0500 @@ -147,6 +147,14 @@ init_dbus_chat_script(unconfined_java_t) @@ -2980,21 +2979,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te + rpm_domtrans(unconfined_java_t) + ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.10/policy/modules/apps/kdumpgui.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.11/policy/modules/apps/kdumpgui.fc --- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/kdumpgui.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/kdumpgui.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.10/policy/modules/apps/kdumpgui.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.11/policy/modules/apps/kdumpgui.if --- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/kdumpgui.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/kdumpgui.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,2 @@ +## system-config-kdump policy + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.10/policy/modules/apps/kdumpgui.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.11/policy/modules/apps/kdumpgui.te --- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/kdumpgui.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/kdumpgui.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,68 @@ +policy_module(kdumpgui,1.0.0) + @@ -3064,15 +3063,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui +optional_policy(` + policykit_dbus_chat(kdumpgui_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.10/policy/modules/apps/livecd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.11/policy/modules/apps/livecd.fc --- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/livecd.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/livecd.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.10/policy/modules/apps/livecd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.11/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/livecd.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/livecd.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,52 @@ + +## policy for livecd @@ -3126,9 +3125,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i + usermanage_run_chfn(livecd_t, $2) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.10/policy/modules/apps/livecd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.11/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/livecd.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/livecd.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,27 @@ +policy_module(livecd, 1.0.0) + @@ -3157,9 +3156,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.t + +seutil_domtrans_setfiles_mac(livecd_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.7.10/policy/modules/apps/loadkeys.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.7.11/policy/modules/apps/loadkeys.if --- nsaserefpolicy/policy/modules/apps/loadkeys.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/apps/loadkeys.if 2010-02-26 14:41:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/loadkeys.if 2010-03-03 23:48:01.000000000 -0500 @@ -17,6 +17,9 @@ corecmd_search_bin($1) @@ -3170,9 +3169,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.10/policy/modules/apps/loadkeys.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.11/policy/modules/apps/loadkeys.te --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/apps/loadkeys.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/loadkeys.te 2010-03-03 23:48:01.000000000 -0500 @@ -40,8 +40,12 @@ miscfiles_read_localization(loadkeys_t) @@ -3187,9 +3186,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys +ifdef(`hide_broken_symptoms',` + dev_dontaudit_rw_lvm_control(loadkeys_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.10/policy/modules/apps/mono.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.11/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/mono.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/mono.if 2010-03-03 23:48:01.000000000 -0500 @@ -40,10 +40,10 @@ domain_interactive_fd($1_mono_t) application_type($1_mono_t) @@ -3202,9 +3201,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; domtrans_pattern($3, mono_exec_t, $1_mono_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.10/policy/modules/apps/mozilla.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.11/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/apps/mozilla.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/mozilla.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,6 +1,7 @@ HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -3221,9 +3220,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.10/policy/modules/apps/mozilla.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.11/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/mozilla.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/mozilla.if 2010-03-03 23:48:01.000000000 -0500 @@ -48,6 +48,12 @@ mozilla_dbus_chat($2) @@ -3269,9 +3268,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. + allow $1 mozilla_home_t:file execmod; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.10/policy/modules/apps/mozilla.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.11/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/mozilla.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/mozilla.te 2010-03-03 23:48:01.000000000 -0500 @@ -91,6 +91,7 @@ corenet_raw_sendrecv_generic_node(mozilla_t) corenet_tcp_sendrecv_http_port(mozilla_t) @@ -3330,9 +3329,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. +optional_policy(` thunderbird_domtrans(mozilla_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.10/policy/modules/apps/nsplugin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.11/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/nsplugin.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/nsplugin.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,10 @@ +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) @@ -3344,9 +3343,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.10/policy/modules/apps/nsplugin.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.11/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/nsplugin.if 2010-03-01 11:46:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/nsplugin.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,355 @@ + +## policy for nsplugin @@ -3703,9 +3702,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + allow $1 nsplugin_t:sem rw_sem_perms; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.10/policy/modules/apps/nsplugin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.11/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/nsplugin.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/nsplugin.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,296 @@ + +policy_module(nsplugin, 1.0.0) @@ -4003,16 +4002,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.10/policy/modules/apps/openoffice.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.11/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/openoffice.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/openoffice.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,3 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.10/policy/modules/apps/openoffice.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.11/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/openoffice.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/openoffice.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,92 @@ +## Openoffice + @@ -4106,9 +4105,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi + xserver_common_x_domain_template($1, $1_openoffice_t) + ') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.10/policy/modules/apps/openoffice.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.11/policy/modules/apps/openoffice.te --- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/openoffice.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/openoffice.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,11 @@ + +policy_module(openoffice, 1.0.0) @@ -4121,9 +4120,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi +type openoffice_t; +type openoffice_exec_t; +application_domain(openoffice_t, openoffice_exec_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.10/policy/modules/apps/podsleuth.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.11/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/podsleuth.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/podsleuth.te 2010-03-03 23:48:01.000000000 -0500 @@ -50,6 +50,7 @@ fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file }) @@ -4147,9 +4146,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut optional_policy(` dbus_system_bus_client(podsleuth_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.10/policy/modules/apps/ptchown.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.11/policy/modules/apps/ptchown.if --- nsaserefpolicy/policy/modules/apps/ptchown.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/apps/ptchown.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/ptchown.if 2010-03-03 23:48:01.000000000 -0500 @@ -18,3 +18,27 @@ domtrans_pattern($1, ptchown_exec_t, ptchown_t) ') @@ -4178,20 +4177,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown. + ptchown_domtrans($1) + role $2 types ptchown_t; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.10/policy/modules/apps/pulseaudio.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.11/policy/modules/apps/pulseaudio.fc --- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/apps/pulseaudio.fc 2010-02-23 15:54:38.000000000 -0500 -@@ -1 +1,7 @@ ++++ serefpolicy-3.7.11/policy/modules/apps/pulseaudio.fc 2010-03-04 09:44:00.000000000 -0500 +@@ -1 +1,9 @@ +HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) +HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0) + ++/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) ++ +/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) + /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.10/policy/modules/apps/pulseaudio.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.11/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/apps/pulseaudio.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/pulseaudio.if 2010-03-03 23:48:01.000000000 -0500 @@ -29,7 +29,7 @@ ps_process_pattern($2, pulseaudio_t) @@ -4295,10 +4296,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud - allow $1 pulseaudio_t:unix_stream_socket connectto; + stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.10/policy/modules/apps/pulseaudio.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.11/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/pulseaudio.te 2010-03-01 09:47:28.000000000 -0500 -@@ -8,17 +8,28 @@ ++++ serefpolicy-3.7.11/policy/modules/apps/pulseaudio.te 2010-03-04 11:08:17.000000000 -0500 +@@ -8,24 +8,51 @@ type pulseaudio_t; type pulseaudio_exec_t; @@ -4306,21 +4307,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud application_domain(pulseaudio_t, pulseaudio_exec_t) role system_r types pulseaudio_t; -+type pulseaudio_var_run_t; -+files_pid_file(pulseaudio_var_run_t) -+ +type pulseaudio_home_t; +userdom_user_home_content(pulseaudio_home_t) + +type pulseaudio_tmpfs_t; +files_tmpfs_file(pulseaudio_tmpfs_t) + ++type pulseaudio_var_lib_t; ++files_type(pulseaudio_var_lib_t) ++ ++type pulseaudio_var_run_t; ++files_pid_file(pulseaudio_var_run_t) ++ ######################################## # # pulseaudio local policy # - -+allow pulseaudio_t self:capability { setuid sys_nice setgid }; +- ++allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource }; allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; allow pulseaudio_t self:fifo_file rw_file_perms; -allow pulseaudio_t self:unix_stream_socket create_stream_socket_perms; @@ -4328,36 +4332,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms }; allow pulseaudio_t self:tcp_socket create_stream_socket_perms; allow pulseaudio_t self:udp_socket create_socket_perms; -@@ -26,6 +37,7 @@ + allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; ++userdom_search_user_home_dirs(pulseaudio_t) ++manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) ++manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) ++ ++manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) ++manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) ++files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) ++ ++manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) ++manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) ++manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) ++files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file }) ++ can_exec(pulseaudio_t, pulseaudio_exec_t) +kernel_getattr_proc(pulseaudio_t) kernel_read_system_state(pulseaudio_t) kernel_read_kernel_sysctls(pulseaudio_t) -@@ -66,11 +78,17 @@ - bluetooth_stream_connect(pulseaudio_t) +@@ -67,10 +94,7 @@ ') --optional_policy(` + optional_policy(` - gnome_manage_config(pulseaudio_t) -') -+manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) -+manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) -+manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) -+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file }) -+ -+userdom_search_user_home_dirs(pulseaudio_t) -+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) -+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) - - optional_policy(` +- +-optional_policy(` + dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) dbus_system_bus_client(pulseaudio_t) dbus_session_bus_client(pulseaudio_t) dbus_connect_session_bus(pulseaudio_t) -@@ -93,6 +111,10 @@ +@@ -93,6 +117,10 @@ ') optional_policy(` @@ -4368,7 +4376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud policykit_domtrans_auth(pulseaudio_t) policykit_read_lib(pulseaudio_t) policykit_read_reload(pulseaudio_t) -@@ -103,6 +125,9 @@ +@@ -103,6 +131,9 @@ ') optional_policy(` @@ -4378,9 +4386,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud + xserver_read_xdm_pid(pulseaudio_t) + xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.10/policy/modules/apps/qemu.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.11/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/qemu.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/qemu.if 2010-03-03 23:48:01.000000000 -0500 @@ -127,12 +127,14 @@ template(`qemu_role',` gen_require(` @@ -4469,9 +4477,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.10/policy/modules/apps/qemu.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.11/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/qemu.te 2010-02-26 10:43:41.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/qemu.te 2010-03-03 23:48:01.000000000 -0500 @@ -50,6 +50,8 @@ # # qemu local policy @@ -4502,20 +4510,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te allow unconfined_qemu_t self:process { execstack execmem }; + allow unconfined_qemu_t qemu_exec_t:file execmod; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.10/policy/modules/apps/sambagui.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.11/policy/modules/apps/sambagui.fc --- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/sambagui.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/sambagui.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1 @@ +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.10/policy/modules/apps/sambagui.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.11/policy/modules/apps/sambagui.if --- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/sambagui.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/sambagui.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,2 @@ +## system-config-samba policy + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.10/policy/modules/apps/sambagui.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.11/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/sambagui.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/sambagui.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,66 @@ +policy_module(sambagui,1.0.0) + @@ -4583,14 +4591,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui +optional_policy(` + policykit_dbus_chat(sambagui_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.10/policy/modules/apps/sandbox.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.11/policy/modules/apps/sandbox.fc --- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/sandbox.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/sandbox.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1 @@ +# No types are sandbox_exec_t -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.10/policy/modules/apps/sandbox.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.11/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/sandbox.if 2010-02-24 10:22:17.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/sandbox.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,248 @@ + +## policy for sandbox @@ -4840,10 +4848,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + + allow $1 sandbox_file_type:dir list_dir_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.10/policy/modules/apps/sandbox.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.11/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/sandbox.te 2010-02-23 15:54:38.000000000 -0500 -@@ -0,0 +1,364 @@ ++++ serefpolicy-3.7.11/policy/modules/apps/sandbox.te 2010-03-03 23:48:01.000000000 -0500 +@@ -0,0 +1,365 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -4928,6 +4936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +logging_send_audit_msgs(sandbox_xserver_t) + +userdom_use_user_terminals(sandbox_xserver_t) ++userdom_dontaudit_search_user_home_content(sandbox_xserver_t) + +xserver_entry_type(sandbox_xserver_t) + @@ -5208,9 +5217,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +optional_policy(` + hal_dbus_chat(sandbox_net_client_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.10/policy/modules/apps/screen.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.11/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/screen.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/screen.if 2010-03-03 23:48:01.000000000 -0500 @@ -141,6 +141,7 @@ userdom_create_user_pty($1_screen_t) userdom_user_home_domtrans($1_screen_t, $3) @@ -5219,9 +5228,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i tunable_policy(`use_samba_home_dirs',` fs_cifs_domtrans($1_screen_t, $3) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.10/policy/modules/apps/seunshare.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.11/policy/modules/apps/seunshare.if --- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/seunshare.if 2010-02-26 14:42:02.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/seunshare.if 2010-03-03 23:48:01.000000000 -0500 @@ -2,59 +2,14 @@ ######################################## @@ -5319,9 +5328,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar + dontaudit $1_seunshare_t $3:socket_class_set { read write }; + ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.10/policy/modules/apps/seunshare.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.11/policy/modules/apps/seunshare.te --- nsaserefpolicy/policy/modules/apps/seunshare.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/seunshare.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/seunshare.te 2010-03-03 23:48:01.000000000 -0500 @@ -6,40 +6,39 @@ # Declarations # @@ -5380,9 +5389,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar + mozilla_dontaudit_manage_user_home_files(seunshare_domain) ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.10/policy/modules/apps/slocate.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.11/policy/modules/apps/slocate.te --- nsaserefpolicy/policy/modules/apps/slocate.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/apps/slocate.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/slocate.te 2010-03-03 23:48:01.000000000 -0500 @@ -30,6 +30,7 @@ manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) @@ -5399,9 +5408,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate. # getpwnam auth_use_nsswitch(locate_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.10/policy/modules/apps/vmware.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.11/policy/modules/apps/vmware.if --- nsaserefpolicy/policy/modules/apps/vmware.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/apps/vmware.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/vmware.if 2010-03-03 23:48:01.000000000 -0500 @@ -84,3 +84,22 @@ logging_search_logs($1) append_files_pattern($1, vmware_log_t, vmware_log_t) @@ -5425,9 +5434,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i + can_exec($1, vmware_host_exec_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.10/policy/modules/apps/vmware.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.11/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/vmware.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/vmware.te 2010-03-03 23:48:01.000000000 -0500 @@ -29,6 +29,10 @@ type vmware_host_exec_t; init_daemon_domain(vmware_host_t, vmware_host_exec_t) @@ -5451,9 +5460,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.10/policy/modules/apps/wine.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.11/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/wine.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/wine.if 2010-03-03 23:48:01.000000000 -0500 @@ -35,6 +35,8 @@ role $1 types wine_t; @@ -5479,9 +5488,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if optional_policy(` xserver_role($1_r, $1_wine_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.10/policy/modules/apps/wine.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.11/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/wine.te 2010-02-24 12:06:19.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/apps/wine.te 2010-03-03 23:48:01.000000000 -0500 @@ -1,6 +1,14 @@ policy_module(wine, 1.6.1) @@ -5512,18 +5521,61 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te files_execmod_all_files(wine_t) -@@ -41,7 +55,7 @@ - ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.7.11/policy/modules/apps/wm.if +--- nsaserefpolicy/policy/modules/apps/wm.if 2009-07-27 18:11:17.000000000 -0400 ++++ serefpolicy-3.7.11/policy/modules/apps/wm.if 2010-03-04 09:20:55.000000000 -0500 +@@ -30,6 +30,7 @@ + template(`wm_role_template',` + gen_require(` + type wm_exec_t; ++ class dbus send_msg; + ') - optional_policy(` -- unconfined_domain_noaudit(wine_t) -+ unconfined_domain(wine_t) + type $1_wm_t; +@@ -42,6 +43,12 @@ + allow $1_wm_t self:shm create_shm_perms; + + allow $1_wm_t $3:unix_stream_socket connectto; ++ allow $3 $1_wm_t:unix_stream_socket connectto; ++ allow $3 $1_wm_t:process signal; ++ allow $1_wm_t $3:process signull; ++ ++ allow $1_wm_t $3:dbus send_msg; ++ allow $3 $1_wm_t:dbus send_msg; + + domtrans_pattern($3, wm_exec_t, $1_wm_t) + +@@ -55,6 +62,8 @@ + files_read_etc_files($1_wm_t) + files_read_usr_files($1_wm_t) + ++ fs_getattr_tmpfs($1_wm_t) ++ + mls_file_read_all_levels($1_wm_t) + mls_file_write_all_levels($1_wm_t) + mls_xwin_read_all_levels($1_wm_t) +@@ -72,11 +81,18 @@ + + optional_policy(` + dbus_system_bus_client($1_wm_t) ++ dbus_session_bus_client($1_wm_t) ++ ') ++ ++ optional_policy(` ++ pulseaudio_stream_connect($1_wm_t) + ') + + optional_policy(` + xserver_role($2, $1_wm_t) ++ xserver_manage_core_devices($1_wm_t) + ') ++ ') - optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.10/policy/modules/kernel/corecommands.fc + ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.11/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/kernel/corecommands.fc 2010-02-26 11:12:57.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/corecommands.fc 2010-03-03 23:48:01.000000000 -0500 @@ -44,15 +44,17 @@ /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0) /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) @@ -5618,10 +5670,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) + +/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.10/policy/modules/kernel/corecommands.if ---- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/kernel/corecommands.if 2010-02-23 15:54:38.000000000 -0500 -@@ -893,6 +893,7 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.11/policy/modules/kernel/corecommands.if +--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/corecommands.if 2010-03-03 23:48:01.000000000 -0500 +@@ -931,6 +931,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) can_exec($1, chroot_exec_t) @@ -5629,7 +5681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') ######################################## -@@ -918,6 +919,25 @@ +@@ -956,6 +957,25 @@ ######################################## ## @@ -5655,7 +5707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ## Execute all executable files. ## ## -@@ -973,6 +993,7 @@ +@@ -1011,6 +1031,7 @@ type bin_t; ') @@ -5663,10 +5715,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.7.10/policy/modules/kernel/corenetwork.if.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/kernel/corenetwork.if.in 2010-02-23 15:54:38.000000000 -0500 -@@ -1705,6 +1705,24 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.7.11/policy/modules/kernel/corenetwork.if.in +--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2010-03-03 23:26:37.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/corenetwork.if.in 2010-03-03 23:48:01.000000000 -0500 +@@ -1920,6 +1920,24 @@ ######################################## ## @@ -5691,9 +5743,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ## Getattr the point-to-point device. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.10/policy/modules/kernel/corenetwork.te.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/kernel/corenetwork.te.in 2010-02-23 15:54:38.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.11/policy/modules/kernel/corenetwork.te.in +--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/corenetwork.te.in 2010-03-04 09:58:31.000000000 -0500 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -5744,7 +5796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) network_port(ircd, tcp,6667,s0) network_port(isakmp, udp,500,s0) -@@ -131,8 +140,9 @@ +@@ -131,32 +140,42 @@ network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) network_port(lmtp, tcp,24,s0, udp,24,s0) @@ -5755,9 +5807,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) -@@ -141,21 +151,29 @@ + network_port(msnp, tcp,1863,s0, udp,1863,s0) ++network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0) + network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) + network_port(mysqlmanagerd, tcp,2273,s0) network_port(nessus, tcp,1241,s0) -network_port(netsupport, tcp,5405,s0, udp,5405,s0) +network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) @@ -5786,7 +5841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -175,33 +193,38 @@ +@@ -176,22 +195,24 @@ network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) @@ -5812,10 +5867,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene +network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0) network_port(transproxy, tcp,8081,s0) --network_port(ups, tcp,3493,s0) - type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon - network_port(uucpd, tcp,540,s0) -+network_port(ups, tcp,3493,s0) + network_port(ups, tcp,3493,s0) +@@ -200,9 +221,12 @@ network_port(varnishd, tcp,6081,s0, tcp,6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152,s0) @@ -5829,7 +5882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -230,6 +253,8 @@ +@@ -231,6 +255,8 @@ type node_t, node_type; sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh) @@ -5838,9 +5891,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene # network_node examples: #network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255) #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.10/policy/modules/kernel/devices.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.11/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/kernel/devices.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/devices.fc 2010-03-03 23:48:01.000000000 -0500 @@ -16,13 +16,16 @@ /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) @@ -5899,10 +5952,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.10/policy/modules/kernel/devices.if ---- nsaserefpolicy/policy/modules/kernel/devices.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/kernel/devices.if 2010-02-23 15:54:38.000000000 -0500 -@@ -436,6 +436,24 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.11/policy/modules/kernel/devices.if +--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-03-03 23:26:37.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/devices.if 2010-03-03 23:48:01.000000000 -0500 +@@ -461,6 +461,24 @@ ######################################## ## @@ -5927,7 +5980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Dontaudit setattr for generic character device files. ## ## -@@ -801,6 +819,24 @@ +@@ -826,6 +844,24 @@ ######################################## ## @@ -5952,7 +6005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Dontaudit read on all character file device nodes. ## ## -@@ -819,6 +855,24 @@ +@@ -844,6 +880,24 @@ ######################################## ## @@ -5977,7 +6030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Create all block device files. ## ## -@@ -855,6 +909,42 @@ +@@ -880,6 +934,42 @@ ######################################## ## @@ -6020,7 +6073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Delete all block device files. ## ## -@@ -1380,6 +1470,42 @@ +@@ -1405,6 +1495,42 @@ rw_chr_files_pattern($1, device_t, crypt_device_t) ') @@ -6063,7 +6116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ######################################## ## ## getattr the dri devices. -@@ -1710,6 +1836,24 @@ +@@ -1735,6 +1861,24 @@ ######################################## ## @@ -6088,7 +6141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Get the attributes of the ksm devices. ## ## -@@ -1999,6 +2143,24 @@ +@@ -2024,6 +2168,24 @@ ######################################## ## @@ -6113,7 +6166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Read raw memory devices (e.g. /dev/mem). ## ## -@@ -2450,6 +2612,24 @@ +@@ -2475,6 +2637,24 @@ ######################################## ## @@ -6138,7 +6191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Get the attributes of the network control device ## ## -@@ -3515,6 +3695,24 @@ +@@ -3587,6 +3767,24 @@ ######################################## ## @@ -6163,7 +6216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Mount a usbfs filesystem. ## ## -@@ -3703,6 +3901,24 @@ +@@ -3775,6 +3973,24 @@ getattr_chr_files_pattern($1, device_t, v4l_device_t) ') @@ -6188,9 +6241,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ######################################## ## ## Do not audit attempts to get the attributes -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.10/policy/modules/kernel/devices.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.11/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/kernel/devices.te 2010-02-26 15:47:09.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/devices.te 2010-03-03 23:48:01.000000000 -0500 @@ -59,6 +59,12 @@ type crypt_device_t; dev_node(crypt_device_t) @@ -6230,56 +6283,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device -allow devices_unconfined_type device_node:{ blk_file chr_file } *; +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.10/policy/modules/kernel/domain.if ---- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/kernel/domain.if 2010-02-25 16:40:56.000000000 -0500 -@@ -44,34 +44,6 @@ - interface(`domain_type',` - # start with basic domain - domain_base_type($1) -- -- ifdef(`distro_redhat',` -- optional_policy(` -- unconfined_use_fds($1) -- ') -- ') -- -- # send init a sigchld and signull -- optional_policy(` -- init_sigchld($1) -- init_signull($1) -- ') -- -- # these seem questionable: -- -- optional_policy(` -- rpm_use_fds($1) -- rpm_read_pipes($1) -- ') -- -- optional_policy(` -- selinux_dontaudit_getattr_fs($1) -- selinux_dontaudit_read_fs($1) -- ') -- -- optional_policy(` -- seutil_dontaudit_read_config($1) -- ') - ') - - ######################################## -@@ -746,10 +718,6 @@ - dontaudit $1 domain:dir list_dir_perms; - dontaudit $1 domain:lnk_file read_lnk_file_perms; - dontaudit $1 domain:file read_file_perms; -- -- # cjp: these should be removed: -- dontaudit $1 domain:sock_file read_sock_file_perms; -- dontaudit $1 domain:fifo_file read_fifo_file_perms; - ') - - ######################################## -@@ -791,6 +759,42 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.11/policy/modules/kernel/domain.if +--- nsaserefpolicy/policy/modules/kernel/domain.if 2010-03-03 23:26:37.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/domain.if 2010-03-03 23:48:01.000000000 -0500 +@@ -831,6 +831,42 @@ ######################################## ## @@ -6322,7 +6329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain ## Do not audit attempts to get the ## session ID of all domains. ## -@@ -1039,6 +1043,54 @@ +@@ -1079,6 +1115,54 @@ ######################################## ## @@ -6377,7 +6384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain ## Do not audit attempts to get the attributes ## of all domains unnamed pipes. ## -@@ -1248,18 +1300,34 @@ +@@ -1288,18 +1372,34 @@ ## ## # @@ -6415,7 +6422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain ## Allow specified type to receive labeled ## networking packets from all domains, over ## all protocols (TCP, UDP, etc) -@@ -1280,6 +1348,24 @@ +@@ -1320,6 +1420,24 @@ ######################################## ## @@ -6440,7 +6447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain ## Unconfined access to domains. ## ## -@@ -1304,3 +1390,39 @@ +@@ -1344,3 +1462,39 @@ typeattribute $1 process_uncond_exempt; ') @@ -6480,9 +6487,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + + dontaudit $1 domain:socket_class_set { read write }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.10/policy/modules/kernel/domain.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.11/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/kernel/domain.te 2010-02-26 09:13:18.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/domain.te 2010-03-03 23:48:01.000000000 -0500 @@ -5,6 +5,21 @@ # # Declarations @@ -6514,7 +6521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Domains that can mmap low memory. attribute mmap_low_domain_type; neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; -@@ -80,6 +97,8 @@ +@@ -80,14 +97,17 @@ allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; kernel_read_proc_symlinks(domain) @@ -6523,8 +6530,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Every domain gets the key ring, so we should default # to no one allowed to look at it; afs kernel support creates # a keyring -@@ -87,7 +106,7 @@ + kernel_dontaudit_search_key(domain) kernel_dontaudit_link_key(domain) ++kernel_dontaudit_search_debugfs(domain) # create child processes in the domain -allow domain self:process { fork sigchld }; @@ -6532,7 +6540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Use trusted objects in /dev dev_rw_null(domain) -@@ -97,6 +116,13 @@ +@@ -97,6 +117,13 @@ # list the root directory files_list_root(domain) @@ -6546,7 +6554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain tunable_policy(`global_ssp',` # enable reading of urandom for all domains: # this should be enabled when all programs -@@ -106,6 +132,10 @@ +@@ -106,6 +133,10 @@ ') optional_policy(` @@ -6557,7 +6565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain libs_use_ld_so(domain) libs_use_shared_libs(domain) ') -@@ -118,6 +148,7 @@ +@@ -118,6 +149,7 @@ optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -6565,7 +6573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain ') ######################################## -@@ -136,6 +167,8 @@ +@@ -136,6 +168,8 @@ allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; @@ -6574,7 +6582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -153,3 +186,75 @@ +@@ -153,3 +187,75 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -6650,9 +6658,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + userdom_relabelto_user_home_dirs(polydomain) + userdom_relabelto_user_home_files(polydomain) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.10/policy/modules/kernel/files.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.11/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/kernel/files.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/files.fc 2010-03-03 23:48:01.000000000 -0500 @@ -18,6 +18,7 @@ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -6704,10 +6712,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.10/policy/modules/kernel/files.if ---- nsaserefpolicy/policy/modules/kernel/files.if 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/kernel/files.if 2010-02-24 11:04:55.000000000 -0500 -@@ -932,10 +932,8 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.11/policy/modules/kernel/files.if +--- nsaserefpolicy/policy/modules/kernel/files.if 2010-03-03 23:26:37.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/files.if 2010-03-03 23:48:01.000000000 -0500 +@@ -1053,10 +1053,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -6720,7 +6728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1307,6 +1305,24 @@ +@@ -1428,6 +1426,24 @@ ######################################## ## @@ -6745,7 +6753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## List the contents of the root directory. ## ## -@@ -1431,6 +1447,24 @@ +@@ -1552,6 +1568,24 @@ ######################################## ## @@ -6770,7 +6778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Remove entries from the root directory. ## ## -@@ -2088,6 +2122,24 @@ +@@ -2209,6 +2243,24 @@ allow $1 etc_t:dir rw_dir_perms; ') @@ -6795,7 +6803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ########################################## ## ## Manage generic directories in /etc -@@ -2125,6 +2177,8 @@ +@@ -2280,6 +2332,8 @@ allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -6804,7 +6812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2207,6 +2261,24 @@ +@@ -2362,6 +2416,24 @@ ######################################## ## @@ -6829,7 +6837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Execute generic files in /etc. ## ## -@@ -2612,6 +2684,11 @@ +@@ -2785,6 +2857,11 @@ ') delete_files_pattern($1, file_t, file_t) @@ -6841,7 +6849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2726,6 +2803,7 @@ +@@ -2899,6 +2976,7 @@ ') allow $1 home_root_t:dir getattr; @@ -6849,7 +6857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2746,6 +2824,7 @@ +@@ -2919,6 +2997,7 @@ ') dontaudit $1 home_root_t:dir getattr; @@ -6857,7 +6865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2764,6 +2843,7 @@ +@@ -2937,6 +3016,7 @@ ') allow $1 home_root_t:dir search_dir_perms; @@ -6865,7 +6873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2783,6 +2863,7 @@ +@@ -2956,6 +3036,7 @@ ') dontaudit $1 home_root_t:dir search_dir_perms; @@ -6873,7 +6881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2802,6 +2883,7 @@ +@@ -2975,6 +3056,7 @@ ') dontaudit $1 home_root_t:dir list_dir_perms; @@ -6881,7 +6889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2820,6 +2902,7 @@ +@@ -2993,6 +3075,7 @@ ') allow $1 home_root_t:dir list_dir_perms; @@ -6889,7 +6897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3329,6 +3412,64 @@ +@@ -3502,6 +3585,64 @@ allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -6954,7 +6962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Allow the specified type to associate -@@ -3514,6 +3655,32 @@ +@@ -3687,6 +3828,32 @@ ######################################## ## @@ -6987,7 +6995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Manage temporary files and directories in /tmp. ## ## -@@ -3727,6 +3894,8 @@ +@@ -3900,6 +4067,8 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -6996,7 +7004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3835,7 +4004,12 @@ +@@ -4008,7 +4177,12 @@ type usr_t; ') @@ -7010,7 +7018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3874,6 +4048,7 @@ +@@ -4065,6 +4239,7 @@ allow $1 usr_t:dir list_dir_perms; read_files_pattern($1, usr_t, usr_t) read_lnk_files_pattern($1, usr_t, usr_t) @@ -7018,7 +7026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3898,6 +4073,24 @@ +@@ -4089,6 +4264,24 @@ ######################################## ## @@ -7043,33 +7051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## dontaudit write of /usr files ## ## -@@ -4299,25 +4492,6 @@ - - ######################################## - ## --## Do not audit attempts to read and write --## files in the /var directory. --## --## --## --## Domain allowed access. --## --## --# --interface(`files_dontaudit_rw_var_files',` -- gen_require(` -- type var_t; -- ') -- -- dontaudit $1 var_t:file rw_file_perms; --') -- --######################################## --## - ## Create, read, write, and delete files in the /var directory. - ## - ## -@@ -4537,6 +4711,24 @@ +@@ -4742,6 +4935,24 @@ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -7094,7 +7076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -4809,6 +5001,25 @@ +@@ -5014,6 +5225,25 @@ search_dirs_pattern($1, var_t, var_run_t) ') @@ -7120,7 +7102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Do not audit attempts to search -@@ -4868,6 +5079,24 @@ +@@ -5073,6 +5303,24 @@ ######################################## ## @@ -7142,10 +7124,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + +######################################## +## - ## Create an object in the process ID directory, with a private - ## type using a type transition. + ## Create an object in the process ID directory, with a private type. ## -@@ -4917,6 +5146,24 @@ + ## +@@ -5148,6 +5396,24 @@ ######################################## ## @@ -7170,7 +7152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Do not audit attempts to write to daemon runtime data files. ## ## -@@ -4970,6 +5217,7 @@ +@@ -5201,6 +5467,7 @@ list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -7178,7 +7160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -5038,6 +5286,24 @@ +@@ -5269,6 +5536,24 @@ ######################################## ## @@ -7203,7 +7185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -5226,12 +5492,15 @@ +@@ -5457,12 +5742,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -7220,7 +7202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ') -@@ -5252,3 +5521,212 @@ +@@ -5483,3 +5771,212 @@ typeattribute $1 files_unconfined_type; ') @@ -7433,9 +7415,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.10/policy/modules/kernel/files.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.11/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/kernel/files.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/files.te 2010-03-03 23:48:01.000000000 -0500 @@ -43,6 +43,7 @@ # type boot_t; @@ -7468,10 +7450,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.10/policy/modules/kernel/filesystem.if ---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/kernel/filesystem.if 2010-02-26 15:26:19.000000000 -0500 -@@ -906,7 +906,7 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.11/policy/modules/kernel/filesystem.if +--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-03-03 23:26:37.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/filesystem.if 2010-03-03 23:48:01.000000000 -0500 +@@ -929,7 +929,7 @@ type cifs_t; ') @@ -7480,7 +7462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -1459,6 +1459,25 @@ +@@ -1482,6 +1482,25 @@ ######################################## ## @@ -7506,7 +7488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Create, read, write, and delete directories ## on a FUSEFS filesystem. ## -@@ -1613,6 +1632,36 @@ +@@ -1636,6 +1655,36 @@ ######################################## ## @@ -7543,7 +7525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Search inotifyfs filesystem. ## ## -@@ -1649,6 +1698,24 @@ +@@ -1672,6 +1721,24 @@ ######################################## ## @@ -7568,7 +7550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Mount an iso9660 filesystem, which ## is usually used on CDs. ## -@@ -2047,7 +2114,7 @@ +@@ -2070,7 +2137,7 @@ type nfs_t; ') @@ -7577,7 +7559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2069,6 +2136,25 @@ +@@ -2092,6 +2159,25 @@ read_lnk_files_pattern($1, nfs_t, nfs_t) ') @@ -7603,7 +7585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ######################################### ## ## Read named sockets on a NFS filesystem. -@@ -3458,6 +3544,24 @@ +@@ -3481,6 +3567,24 @@ ######################################## ## @@ -7628,7 +7610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Read and write generic tmpfs files. ## ## -@@ -3684,6 +3788,24 @@ +@@ -3707,6 +3811,24 @@ ######################################## ## @@ -7653,7 +7635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Mount a XENFS filesystem. ## ## -@@ -4181,3 +4303,214 @@ +@@ -4216,3 +4338,214 @@ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') @@ -7868,9 +7850,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + dontaudit $1 filesystem_type:file rw_inherited_file_perms; + dontaudit $1 filesystem_type:lnk_file { read }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.10/policy/modules/kernel/filesystem.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.11/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/kernel/filesystem.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/filesystem.te 2010-03-03 23:48:01.000000000 -0500 @@ -29,6 +29,7 @@ fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); @@ -7928,9 +7910,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # # nfs_t is the default type for NFS file systems -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.10/policy/modules/kernel/kernel.if ---- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/kernel/kernel.if 2010-02-23 15:54:38.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.11/policy/modules/kernel/kernel.if +--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/kernel.if 2010-03-03 23:48:01.000000000 -0500 @@ -144,6 +144,24 @@ ######################################## @@ -7956,7 +7938,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Send a generic signal to kernel threads. ## ## -@@ -1849,7 +1867,7 @@ +@@ -612,6 +630,24 @@ + + ######################################## + ## ++## Do not audit attempts to search the kernel debugging filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_dontaudit_search_debugfs',` ++ gen_require(` ++ type debugfs_t; ++ ') ++ ++ dontaudit $1 debugfs_t:dir search_dir_perms; ++') ++ ++######################################## ++## + ## Read information from the debugging filesystem. + ## + ## +@@ -1911,7 +1947,7 @@ ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -7965,7 +7972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ') ######################################## -@@ -1920,6 +1938,25 @@ +@@ -1982,6 +2018,25 @@ ######################################## ## @@ -7991,7 +7998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Send general signals to unlabeled processes. ## ## -@@ -2663,6 +2700,24 @@ +@@ -2725,6 +2780,24 @@ ######################################## ## @@ -8016,7 +8023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Unconfined access to kernel module resources. ## ## -@@ -2678,3 +2733,22 @@ +@@ -2740,3 +2813,22 @@ typeattribute $1 kern_unconfined; ') @@ -8039,9 +8046,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel + + allow $1 kernel_t:unix_stream_socket connectto; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.10/policy/modules/kernel/kernel.te ---- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/kernel/kernel.te 2010-02-23 15:54:38.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.11/policy/modules/kernel/kernel.te +--- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-03-04 08:02:45.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/kernel.te 2010-03-03 23:48:01.000000000 -0500 @@ -64,6 +64,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -8076,7 +8083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -270,6 +281,8 @@ +@@ -270,20 +281,27 @@ files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -8084,8 +8091,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel +files_manage_generic_spool_dirs(kernel_t) mcs_process_set_categories(kernel_t) +-mcs_killall(kernel_t) -@@ -277,12 +290,18 @@ + mls_process_read_up(kernel_t) mls_process_write_down(kernel_t) mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) @@ -8104,7 +8112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel optional_policy(` hotplug_search_config(kernel_t) ') -@@ -359,6 +378,10 @@ +@@ -360,6 +378,10 @@ unconfined_domain_noaudit(kernel_t) ') @@ -8115,15 +8123,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ######################################## # # Unlabeled process local policy -@@ -388,3 +411,5 @@ +@@ -389,3 +411,5 @@ allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; + +files_boot(kernel_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.10/policy/modules/kernel/selinux.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.11/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/kernel/selinux.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/selinux.if 2010-03-03 23:48:01.000000000 -0500 @@ -40,7 +40,7 @@ # because of this statement, any module which @@ -8181,9 +8189,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu + fs_type($1) + mls_trusted_object($1) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.10/policy/modules/kernel/storage.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.11/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/kernel/storage.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/storage.fc 2010-03-03 23:48:01.000000000 -0500 @@ -14,6 +14,7 @@ /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -8192,9 +8200,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0) /dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.10/policy/modules/kernel/storage.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.11/policy/modules/kernel/storage.if --- nsaserefpolicy/policy/modules/kernel/storage.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/kernel/storage.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/storage.if 2010-03-03 23:48:01.000000000 -0500 @@ -304,6 +304,7 @@ dev_list_all_dev_nodes($1) @@ -8203,9 +8211,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.10/policy/modules/kernel/terminal.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.11/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/kernel/terminal.if 2010-02-25 17:44:00.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/kernel/terminal.if 2010-03-03 23:48:01.000000000 -0500 @@ -292,9 +292,11 @@ interface(`term_dontaudit_use_console',` gen_require(` @@ -8213,14 +8221,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin + type tty_device_t; ') - dontaudit $1 console_device_t:chr_file rw_chr_file_perms; -+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; +- dontaudit $1 console_device_t:chr_file rw_chr_file_perms; ++ dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms; ++ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.10/policy/modules/roles/auditadm.te +@@ -829,7 +831,7 @@ + attribute ptynode; + ') + +- dontaudit $1 ptynode:chr_file { rw_term_perms lock append }; ++ dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append }; + ') + + ######################################## +@@ -1196,7 +1198,7 @@ + type tty_device_t; + ') + +- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; ++ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; + ') + + ######################################## +@@ -1333,7 +1335,7 @@ + attribute ttynode; + ') + +- dontaudit $1 ttynode:chr_file rw_chr_file_perms; ++ dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms; + ') + + ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.11/policy/modules/roles/auditadm.te --- nsaserefpolicy/policy/modules/roles/auditadm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/roles/auditadm.te 2010-02-26 09:06:07.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/roles/auditadm.te 2010-03-03 23:48:01.000000000 -0500 @@ -33,6 +33,8 @@ seutil_run_runinit(auditadm_t, auditadm_r) seutil_read_bin_policy(auditadm_t) @@ -8230,23 +8266,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditad optional_policy(` consoletype_exec(auditadm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/dbadm.if serefpolicy-3.7.10/policy/modules/roles/dbadm.if ---- nsaserefpolicy/policy/modules/roles/dbadm.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/roles/dbadm.if 2010-02-23 15:54:38.000000000 -0500 -@@ -12,8 +12,8 @@ - ## - # - interface(`dbadm_role_change',` -- get_require(` -- role dbadm_r' -+ gen_require(` -+ role dbadm_r; - ') - - allow $1 dbadm_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.10/policy/modules/roles/guest.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.11/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/roles/guest.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/roles/guest.te 2010-03-03 23:48:01.000000000 -0500 @@ -16,7 +16,11 @@ # @@ -8261,9 +8283,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t +') + +gen_user(guest_u, user, guest_r, s0, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.10/policy/modules/roles/staff.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.11/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2010-02-17 14:07:02.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/roles/staff.te 2010-03-01 09:58:00.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/roles/staff.te 2010-03-03 23:48:01.000000000 -0500 @@ -10,11 +10,26 @@ userdom_unpriv_user_template(staff) @@ -8439,9 +8461,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +optional_policy(` + virt_stream_connect(staff_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.10/policy/modules/roles/sysadm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.11/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/roles/sysadm.te 2010-02-26 09:04:40.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/roles/sysadm.te 2010-03-04 07:59:10.000000000 -0500 @@ -15,7 +15,7 @@ role sysadm_r; @@ -8451,7 +8473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ifndef(`enable_mls',` userdom_security_admin_template(sysadm_t, sysadm_r) -@@ -28,17 +28,25 @@ +@@ -28,17 +28,28 @@ corecmd_exec_shell(sysadm_t) @@ -8472,12 +8494,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) userdom_home_filetrans_user_home_dir(sysadm_t) ++userdom_manage_user_tmp_dirs(sysadm_t) ++userdom_manage_user_tmp_files(sysadm_t) ++userdom_manage_user_tmp_symlinks(sysadm_t) +userdom_manage_user_tmp_chr_files(sysadm_t) +userdom_manage_user_tmp_blk_files(sysadm_t) ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -70,7 +78,9 @@ +@@ -70,7 +81,9 @@ apache_run_helper(sysadm_t, sysadm_r) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) @@ -8488,7 +8513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') optional_policy(` -@@ -86,9 +96,11 @@ +@@ -86,9 +99,11 @@ auditadm_role_change(sysadm_r) ') @@ -8500,7 +8525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` backup_run(sysadm_t, sysadm_r) -@@ -98,17 +110,25 @@ +@@ -98,17 +113,25 @@ bind_run_ndc(sysadm_t, sysadm_r) ') @@ -8526,7 +8551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` certwatch_run(sysadm_t, sysadm_r) -@@ -126,16 +146,18 @@ +@@ -126,16 +149,18 @@ consoletype_run(sysadm_t, sysadm_r) ') @@ -8547,7 +8572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') optional_policy(` -@@ -165,9 +187,11 @@ +@@ -165,9 +190,11 @@ ethereal_run_tethereal(sysadm_t, sysadm_r) ') @@ -8559,7 +8584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` firstboot_run(sysadm_t, sysadm_r) -@@ -177,6 +201,7 @@ +@@ -177,6 +204,7 @@ fstools_run(sysadm_t, sysadm_r) ') @@ -8567,7 +8592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` games_role(sysadm_r, sysadm_t) ') -@@ -192,6 +217,7 @@ +@@ -192,6 +220,7 @@ optional_policy(` gpg_role(sysadm_r, sysadm_t) ') @@ -8575,7 +8600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` hostname_run(sysadm_t, sysadm_r) -@@ -205,6 +231,9 @@ +@@ -205,6 +234,9 @@ ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -8585,7 +8610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') optional_policy(` -@@ -212,12 +241,18 @@ +@@ -212,12 +244,18 @@ ') optional_policy(` @@ -8604,7 +8629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` kudzu_run(sysadm_t, sysadm_r) -@@ -227,9 +262,11 @@ +@@ -227,9 +265,11 @@ libs_run_ldconfig(sysadm_t, sysadm_r) ') @@ -8616,15 +8641,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` logrotate_run(sysadm_t, sysadm_r) -@@ -254,6 +291,7 @@ +@@ -252,8 +292,10 @@ + + optional_policy(` mount_run(sysadm_t, sysadm_r) ++ mount_run_showmount(sysadm_t, sysadm_r) ') +ifndef(`distro_redhat',` optional_policy(` mozilla_role(sysadm_r, sysadm_t) ') -@@ -261,6 +299,7 @@ +@@ -261,6 +303,7 @@ optional_policy(` mplayer_role(sysadm_r, sysadm_t) ') @@ -8632,7 +8660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` mta_role(sysadm_r, sysadm_t) -@@ -308,8 +347,14 @@ +@@ -308,8 +351,14 @@ ') optional_policy(` @@ -8647,7 +8675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` quota_run(sysadm_t, sysadm_r) -@@ -319,9 +364,11 @@ +@@ -319,9 +368,11 @@ raid_domtrans_mdadm(sysadm_t) ') @@ -8659,7 +8687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` rpc_domtrans_nfsd(sysadm_t) -@@ -331,9 +378,11 @@ +@@ -331,9 +382,11 @@ rpm_run(sysadm_t, sysadm_r) ') @@ -8671,7 +8699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` rsync_exec(sysadm_t) -@@ -357,9 +406,11 @@ +@@ -357,9 +410,11 @@ seutil_run_runinit(sysadm_t, sysadm_r) ') @@ -8683,7 +8711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` ssh_role_template(sysadm, sysadm_r, sysadm_t) -@@ -369,6 +420,7 @@ +@@ -369,6 +424,7 @@ staff_role_change(sysadm_r) ') @@ -8691,7 +8719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` su_role_template(sysadm, sysadm_r, sysadm_t) ') -@@ -376,15 +428,18 @@ +@@ -376,15 +432,18 @@ optional_policy(` sudo_role_template(sysadm, sysadm_r, sysadm_t) ') @@ -8710,7 +8738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` tripwire_run_siggen(sysadm_t, sysadm_r) -@@ -393,17 +448,21 @@ +@@ -393,17 +452,21 @@ tripwire_run_twprint(sysadm_t, sysadm_r) ') @@ -8732,7 +8760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` unconfined_domtrans(sysadm_t) -@@ -417,9 +476,11 @@ +@@ -417,9 +480,11 @@ usbmodules_run(sysadm_t, sysadm_r) ') @@ -8744,7 +8772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` usermanage_run_admin_passwd(sysadm_t, sysadm_r) -@@ -427,9 +488,15 @@ +@@ -427,9 +492,15 @@ usermanage_run_useradd(sysadm_t, sysadm_r) ') @@ -8760,7 +8788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` vpn_run(sysadm_t, sysadm_r) -@@ -440,13 +507,26 @@ +@@ -440,13 +511,26 @@ ') optional_policy(` @@ -8787,9 +8815,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. + +init_script_role_transition(sysadm_r) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.10/policy/modules/roles/unconfineduser.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.11/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/roles/unconfineduser.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/roles/unconfineduser.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,10 @@ +# Add programs here which should not be confined by SELinux +# e.g.: @@ -8801,9 +8829,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + +/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0) +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.10/policy/modules/roles/unconfineduser.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.11/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/roles/unconfineduser.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/roles/unconfineduser.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,667 @@ +## Unconfiend user role + @@ -9472,9 +9500,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + + allow $1 unconfined_r; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.10/policy/modules/roles/unconfineduser.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.11/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/roles/unconfineduser.te 2010-02-26 10:43:24.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/roles/unconfineduser.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,432 @@ +policy_module(unconfineduser, 1.0.0) + @@ -9908,9 +9936,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.10/policy/modules/roles/unprivuser.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.11/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/roles/unprivuser.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/roles/unprivuser.te 2010-03-03 23:48:01.000000000 -0500 @@ -13,6 +13,7 @@ userdom_unpriv_user_template(user) @@ -9954,9 +9982,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu +optional_policy(` + setroubleshoot_dontaudit_stream_connect(user_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.10/policy/modules/roles/xguest.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.11/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/roles/xguest.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/roles/xguest.te 2010-03-03 23:48:01.000000000 -0500 @@ -15,7 +15,7 @@ ## @@ -10073,9 +10101,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.10/policy/modules/services/abrt.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.11/policy/modules/services/abrt.fc --- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/abrt.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/abrt.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,11 +1,17 @@ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) @@ -10095,10 +10123,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) /var/run/abrt\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.10/policy/modules/services/abrt.if ---- nsaserefpolicy/policy/modules/services/abrt.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/abrt.if 2010-02-26 14:29:34.000000000 -0500 -@@ -19,6 +19,29 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.11/policy/modules/services/abrt.if +--- nsaserefpolicy/policy/modules/services/abrt.if 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/abrt.if 2010-03-03 23:48:01.000000000 -0500 +@@ -19,6 +19,28 @@ domtrans_pattern($1, abrt_exec_t, abrt_t) ') @@ -10121,14 +10149,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + +ifdef(`hide_broken_symptoms', ` + dontaudit abrt_helper_t $1:socket_class_set { read write }; -+ fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) +') +') + ###################################### ## ## Execute abrt -@@ -56,6 +79,32 @@ +@@ -57,6 +79,32 @@ read_files_pattern($1, abrt_etc_t, abrt_etc_t) ') @@ -10161,7 +10188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ###################################### ## ## Read abrt logs. -@@ -75,6 +124,101 @@ +@@ -76,6 +124,101 @@ read_files_pattern($1, abrt_var_log_t, abrt_var_log_t) ') @@ -10263,9 +10290,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ##################################### ## ## All of the rules required to administrate -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.10/policy/modules/services/abrt.te ---- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/abrt.te 2010-03-01 10:50:07.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.11/policy/modules/services/abrt.te +--- nsaserefpolicy/policy/modules/services/abrt.te 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/abrt.te 2010-03-03 23:48:01.000000000 -0500 @@ -33,12 +33,24 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -10313,13 +10340,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) kernel_read_ring_buffer(abrt_t) -@@ -75,18 +90,38 @@ +@@ -75,25 +90,38 @@ corecmd_exec_bin(abrt_t) corecmd_exec_shell(abrt_t) +corecmd_read_all_executables(abrt_t) +-corenet_all_recvfrom_netlabel(abrt_t) +-corenet_all_recvfrom_unlabeled(abrt_t) +-corenet_sendrecv_http_client_packets(abrt_t) +-corenet_tcp_bind_generic_node(abrt_t) corenet_tcp_connect_http_port(abrt_t) +-corenet_tcp_sendrecv_generic_if(abrt_t) +-corenet_tcp_sendrecv_generic_node(abrt_t) +-corenet_tcp_sendrecv_generic_port(abrt_t) +corenet_tcp_connect_ftp_port(abrt_t) +corenet_tcp_connect_all_ports(abrt_t) @@ -10352,7 +10386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt sysnet_read_config(abrt_t) -@@ -96,22 +131,96 @@ +@@ -103,22 +131,98 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -10442,7 +10476,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + +miscfiles_read_localization(abrt_helper_t) + -+userdom_dontaudit_use_user_terminals(abrt_helper_t) ++term_dontaudit_use_all_ttys(abrt_helper_t) ++term_dontaudit_use_all_ptys(abrt_helper_t) + +ifdef(`hide_broken_symptoms', ` + domain_dontaudit_leaks(abrt_helper_t) @@ -10455,10 +10490,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + dev_dontaudit_read_all_chr_files(abrt_helper_t) + dev_dontaudit_write_all_chr_files(abrt_helper_t) + dev_dontaudit_write_all_blk_files(abrt_helper_t) ++ fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.10/policy/modules/services/afs.te ---- nsaserefpolicy/policy/modules/services/afs.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/afs.te 2010-02-23 15:54:38.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.7.11/policy/modules/services/afs.if +--- nsaserefpolicy/policy/modules/services/afs.if 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/afs.if 2010-03-03 23:48:01.000000000 -0500 +@@ -94,7 +94,7 @@ + # + interface(`afs_admin',` + gen_require(` +- type afs_t; ++ type afs_t, afs_initrc_exec_t; + ') + + allow $1 afs_t:process { ptrace signal_perms getattr }; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.11/policy/modules/services/afs.te +--- nsaserefpolicy/policy/modules/services/afs.te 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/afs.te 2010-03-03 23:48:01.000000000 -0500 @@ -71,8 +71,8 @@ # afs client local policy # @@ -10466,7 +10514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs. -allow afs_t self:capability { sys_nice sys_tty_config }; -allow afs_t self:process setsched; +allow afs_t self:capability { sys_admin sys_nice sys_tty_config }; -+allow afs_t self:process { fork setsched signal }; ++allow afs_t self:process { setsched signal }; allow afs_t self:udp_socket create_socket_perms; allow afs_t self:fifo_file rw_file_perms; allow afs_t self:unix_stream_socket create_stream_socket_perms; @@ -10479,18 +10527,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs. ######################################## # # AFS bossserver local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.10/policy/modules/services/aiccu.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.11/policy/modules/services/aiccu.fc --- nsaserefpolicy/policy/modules/services/aiccu.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/aiccu.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/aiccu.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,5 @@ + +/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0) + +/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0) +/var/run/aiccu.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.10/policy/modules/services/aiccu.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.11/policy/modules/services/aiccu.if --- nsaserefpolicy/policy/modules/services/aiccu.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/aiccu.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/aiccu.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,119 @@ + +## policy for aiccu @@ -10611,9 +10659,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc + aiccu_manage_var_run($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.10/policy/modules/services/aiccu.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.11/policy/modules/services/aiccu.te --- nsaserefpolicy/policy/modules/services/aiccu.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/aiccu.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/aiccu.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,41 @@ +policy_module(aiccu,1.0.0) + @@ -10656,9 +10704,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc +manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) +manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) +files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.10/policy/modules/services/aisexec.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.11/policy/modules/services/aisexec.fc --- nsaserefpolicy/policy/modules/services/aisexec.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/aisexec.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/aisexec.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,10 @@ + +/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0) @@ -10670,9 +10718,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise +/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0) + +/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.10/policy/modules/services/aisexec.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.11/policy/modules/services/aisexec.if --- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/aisexec.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/aisexec.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,106 @@ +## SELinux policy for Aisexec Cluster Engine + @@ -10780,9 +10828,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise + + admin_pattern($1, aisexec_tmpfs_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.10/policy/modules/services/aisexec.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.11/policy/modules/services/aisexec.te --- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/aisexec.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/aisexec.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,115 @@ + +policy_module(aisexec,1.0.0) @@ -10899,9 +10947,59 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise + groupd_rw_semaphores(aisexec_t) + groupd_rw_shm(aisexec_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.10/policy/modules/services/amavis.te ---- nsaserefpolicy/policy/modules/services/amavis.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/amavis.te 2010-02-23 15:54:38.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.7.11/policy/modules/services/amavis.if +--- nsaserefpolicy/policy/modules/services/amavis.if 2010-03-04 11:17:25.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/amavis.if 2010-03-03 23:27:40.000000000 -0500 +@@ -18,30 +18,11 @@ + type amavis_t, amavis_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, amavis_exec_t, amavis_t) + ') + + ######################################## + ## +-## Execute amavis server in the amavis domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`amavis_initrc_domtrans',` +- gen_require(` +- type amavis_initrc_exec_t; +- ') +- +- init_labeled_script_domtrans($1, amavis_initrc_exec_t) +-') +- +-######################################## +-## + ## Read amavis spool files. + ## + ## +@@ -228,13 +209,13 @@ + type amavis_t, amavis_tmp_t, amavis_var_log_t; + type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t; + type amavis_etc_t, amavis_quarantine_t; +- type amavis_initrc_exec_t; ++ type amavis_initrc_exec_t; + ') + + allow $1 amavis_t:process { ptrace signal_perms }; + ps_process_pattern($1, amavis_t) + +- amavis_initrc_domtrans($1) ++ init_labeled_script_domtrans($1, amavis_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 amavis_initrc_exec_t system_r; + allow $2 system_r; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.11/policy/modules/services/amavis.te +--- nsaserefpolicy/policy/modules/services/amavis.te 2010-03-04 11:17:25.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/amavis.te 2010-03-03 23:48:01.000000000 -0500 @@ -138,11 +138,13 @@ auth_dontaudit_read_shadow(amavis_t) @@ -10916,9 +11014,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav sysnet_dns_name_resolve(amavis_t) sysnet_use_ldap(amavis_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.10/policy/modules/services/apache.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.11/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/apache.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/apache.fc 2010-03-03 23:48:01.000000000 -0500 @@ -2,12 +2,19 @@ /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) @@ -11046,9 +11144,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.10/policy/modules/services/apache.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.11/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/apache.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/apache.if 2010-03-03 23:48:01.000000000 -0500 @@ -13,21 +13,17 @@ # template(`apache_content_template',` @@ -11757,9 +11855,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + dontaudit $1 httpd_t:unix_dgram_socket { read write }; + dontaudit $1 httpd_t:unix_stream_socket { read write }; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.10/policy/modules/services/apache.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.11/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/apache.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/apache.te 2010-03-04 09:59:11.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -12324,7 +12422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -568,20 +776,25 @@ +@@ -568,20 +776,32 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -12343,6 +12441,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) + corenet_tcp_connect_mysqld_port(httpd_suexec_t) + corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) ++ ++ corenet_tcp_connect_mssql_port(httpd_t) ++ corenet_sendrecv_mssql_client_packets(httpd_t) ++ corenet_tcp_connect_mssql_port(httpd_sys_script_t) ++ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) ++ corenet_tcp_connect_mssql_port(httpd_suexec_t) ++ corenet_sendrecv_mssql_client_packets(httpd_suexec_t) ') -optional_policy(` @@ -12356,7 +12461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -599,23 +812,24 @@ +@@ -599,23 +819,24 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -12385,7 +12490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -628,6 +842,7 @@ +@@ -628,6 +849,7 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) @@ -12393,7 +12498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -635,22 +850,31 @@ +@@ -635,22 +857,31 @@ corenet_all_recvfrom_unlabeled(httpd_suexec_t) corenet_all_recvfrom_netlabel(httpd_suexec_t) @@ -12432,7 +12537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -676,16 +900,16 @@ +@@ -676,16 +907,16 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -12453,7 +12558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -700,15 +924,29 @@ +@@ -700,15 +931,29 @@ files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) @@ -12485,7 +12590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -716,6 +954,35 @@ +@@ -716,6 +961,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -12521,7 +12626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -728,6 +995,10 @@ +@@ -728,6 +1002,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -12532,7 +12637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -739,6 +1010,8 @@ +@@ -739,6 +1017,8 @@ # httpd_rotatelogs local policy # @@ -12541,7 +12646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -758,11 +1031,88 @@ +@@ -758,11 +1038,88 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -12633,23 +12738,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.7.10/policy/modules/services/apm.te ---- nsaserefpolicy/policy/modules/services/apm.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/apm.te 2010-02-23 15:54:38.000000000 -0500 -@@ -223,6 +223,10 @@ - unconfined_domain(apmd_t) - ') - -+optional_policy(` -+ vbetool_domtrans(apmd_t) -+') -+ - # cjp: related to sleep/resume (?) - optional_policy(` - xserver_domtrans(apmd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.10/policy/modules/services/arpwatch.te ---- nsaserefpolicy/policy/modules/services/arpwatch.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/arpwatch.te 2010-02-23 15:54:38.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.11/policy/modules/services/arpwatch.te +--- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-03-04 11:17:25.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/arpwatch.te 2010-03-03 23:48:01.000000000 -0500 @@ -34,6 +34,7 @@ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms }; allow arpwatch_t self:udp_socket create_socket_perms; @@ -12675,9 +12766,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw fs_getattr_all_fs(arpwatch_t) fs_search_auto_mountpoints(arpwatch_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.10/policy/modules/services/asterisk.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.11/policy/modules/services/asterisk.if --- nsaserefpolicy/policy/modules/services/asterisk.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/asterisk.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/asterisk.if 2010-03-03 23:48:01.000000000 -0500 @@ -2,8 +2,28 @@ ##################################### @@ -12756,9 +12847,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste + + can_exec($1, asterisk_exec_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.10/policy/modules/services/asterisk.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.11/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/asterisk.te 2010-03-01 10:50:26.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/asterisk.te 2010-03-03 23:48:01.000000000 -0500 @@ -40,12 +40,13 @@ # @@ -12859,18 +12950,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste + udev_read_db(asterisk_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.7.10/policy/modules/services/avahi.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.7.11/policy/modules/services/avahi.fc --- nsaserefpolicy/policy/modules/services/avahi.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/avahi.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/avahi.fc 2010-03-03 23:48:01.000000000 -0500 @@ -6,4 +6,4 @@ /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) -/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0) +/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.10/policy/modules/services/avahi.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.11/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/avahi.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/avahi.te 2010-03-03 23:48:01.000000000 -0500 @@ -24,7 +24,7 @@ # Local policy # @@ -12915,9 +13006,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah userdom_dontaudit_use_unpriv_user_fds(avahi_t) userdom_dontaudit_search_user_home_dirs(avahi_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.10/policy/modules/services/bind.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.11/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/bind.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/bind.if 2010-03-03 23:48:01.000000000 -0500 @@ -253,7 +253,7 @@ ######################################## @@ -12962,9 +13053,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind domain_system_change_exemption($1) role_transition $2 named_initrc_exec_t system_r; allow $2 system_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.7.10/policy/modules/services/bind.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.7.11/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/bind.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/bind.te 2010-03-03 23:48:01.000000000 -0500 @@ -142,11 +142,11 @@ logging_send_syslog_msg(named_t) @@ -12979,9 +13070,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_user_home_dirs(named_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.10/policy/modules/services/bluetooth.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.11/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/bluetooth.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/bluetooth.te 2010-03-03 23:48:01.000000000 -0500 @@ -96,6 +96,7 @@ kernel_read_system_state(bluetooth_t) kernel_read_network_state(bluetooth_t) @@ -12990,9 +13081,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue corenet_all_recvfrom_unlabeled(bluetooth_t) corenet_all_recvfrom_netlabel(bluetooth_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.10/policy/modules/services/cachefilesd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.11/policy/modules/services/cachefilesd.fc --- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/cachefilesd.fc 2010-02-26 15:11:32.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/cachefilesd.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,28 @@ +############################################################################### +# @@ -13022,9 +13113,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach +/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) + +/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.10/policy/modules/services/cachefilesd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.11/policy/modules/services/cachefilesd.if --- nsaserefpolicy/policy/modules/services/cachefilesd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/cachefilesd.if 2010-02-26 15:09:20.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/cachefilesd.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,41 @@ +############################################################################### +# @@ -13067,9 +13158,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach + allow cachefilesd_t $1:fifo_file rw_file_perms; + allow cachefilesd_t $1:process sigchld; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.10/policy/modules/services/cachefilesd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.11/policy/modules/services/cachefilesd.te --- nsaserefpolicy/policy/modules/services/cachefilesd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/cachefilesd.te 2010-02-26 15:09:20.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/cachefilesd.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,146 @@ +############################################################################### +# @@ -13217,9 +13308,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach +fs_getattr_xattr_fs(cachefiles_kernel_t) + +dev_search_sysfs(cachefiles_kernel_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.10/policy/modules/services/ccs.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.11/policy/modules/services/ccs.te --- nsaserefpolicy/policy/modules/services/ccs.te 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/ccs.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ccs.te 2010-03-03 23:48:01.000000000 -0500 @@ -114,5 +114,10 @@ ') @@ -13231,9 +13322,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs. +optional_policy(` unconfined_use_fds(ccs_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.7.10/policy/modules/services/certmaster.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.7.11/policy/modules/services/certmaster.fc --- nsaserefpolicy/policy/modules/services/certmaster.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/certmaster.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/certmaster.fc 2010-03-03 23:48:01.000000000 -0500 @@ -3,5 +3,6 @@ /usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) @@ -13241,9 +13332,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +/var/lib/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_lib_t,s0) /var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) /var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.10/policy/modules/services/certmonger.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.11/policy/modules/services/certmonger.fc --- nsaserefpolicy/policy/modules/services/certmonger.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/certmonger.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/certmonger.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,6 @@ +/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0) + @@ -13251,9 +13342,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert + +/var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0) +/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.10/policy/modules/services/certmonger.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.11/policy/modules/services/certmonger.if --- nsaserefpolicy/policy/modules/services/certmonger.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/certmonger.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/certmonger.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,217 @@ + +## Certificate status monitor and PKI enrollment client @@ -13472,9 +13563,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert + files_search_pids($1) + admin_pattern($1, cermonger_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.10/policy/modules/services/certmonger.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.11/policy/modules/services/certmonger.te --- nsaserefpolicy/policy/modules/services/certmonger.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/certmonger.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/certmonger.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,74 @@ +policy_module(certmonger,1.0.0) + @@ -13550,9 +13641,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +optional_policy(` + unconfined_dbus_send(certmonger_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.10/policy/modules/services/cgroup.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.11/policy/modules/services/cgroup.fc --- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/cgroup.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/cgroup.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0) +/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t, s0) @@ -13561,9 +13652,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t, s0) + +/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.10/policy/modules/services/cgroup.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.11/policy/modules/services/cgroup.if --- nsaserefpolicy/policy/modules/services/cgroup.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/cgroup.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/cgroup.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,35 @@ +## Control group rules engine daemon. +## @@ -13600,9 +13691,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro + stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.10/policy/modules/services/cgroup.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.11/policy/modules/services/cgroup.te --- nsaserefpolicy/policy/modules/services/cgroup.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/cgroup.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/cgroup.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,87 @@ +policy_module(cgroup, 1.0.0) + @@ -13691,18 +13782,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +# /mnt/cgroups/cpu +kernel_list_unlabeled(cgconfigparser_t) +kernel_read_system_state(cgconfigparser_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.10/policy/modules/services/chronyd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.11/policy/modules/services/chronyd.fc --- nsaserefpolicy/policy/modules/services/chronyd.fc 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/chronyd.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/chronyd.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,3 +1,5 @@ +/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) + /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.10/policy/modules/services/chronyd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.11/policy/modules/services/chronyd.if --- nsaserefpolicy/policy/modules/services/chronyd.if 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/chronyd.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/chronyd.if 2010-03-03 23:48:01.000000000 -0500 @@ -77,7 +77,7 @@ gen_require(` type chronyd_t, chronyd_var_log_t; @@ -13721,9 +13812,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro logging_search_logs($1) admin_pattern($1, chronyd_var_log_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.10/policy/modules/services/chronyd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.11/policy/modules/services/chronyd.te --- nsaserefpolicy/policy/modules/services/chronyd.te 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/chronyd.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/chronyd.te 2010-03-03 23:48:01.000000000 -0500 @@ -13,6 +13,9 @@ type chronyd_initrc_exec_t; init_script_file(chronyd_initrc_exec_t) @@ -13772,9 +13863,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro +optional_policy(` + gpsd_rw_shm(chronyd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.10/policy/modules/services/clamav.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.11/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/clamav.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/clamav.te 2010-03-03 23:48:01.000000000 -0500 @@ -57,6 +57,7 @@ # @@ -13798,17 +13889,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam optional_policy(` cron_system_entry(freshclam_t, freshclam_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.10/policy/modules/services/clogd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.11/policy/modules/services/clogd.fc --- nsaserefpolicy/policy/modules/services/clogd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/clogd.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/clogd.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0) + +/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.10/policy/modules/services/clogd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.11/policy/modules/services/clogd.if --- nsaserefpolicy/policy/modules/services/clogd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/clogd.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/clogd.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,82 @@ +## clogd - clustered mirror log server + @@ -13892,9 +13983,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog + fs_search_tmpfs($1) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.10/policy/modules/services/clogd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.11/policy/modules/services/clogd.te --- nsaserefpolicy/policy/modules/services/clogd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/clogd.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/clogd.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,65 @@ + +policy_module(clogd,1.0.0) @@ -13961,9 +14052,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.10/policy/modules/services/cobbler.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.11/policy/modules/services/cobbler.if --- nsaserefpolicy/policy/modules/services/cobbler.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/cobbler.if 2010-02-28 10:20:18.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/cobbler.if 2010-03-03 23:48:01.000000000 -0500 @@ -162,6 +162,7 @@ gen_require(` type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; @@ -13981,9 +14072,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb cobblerd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 cobblerd_initrc_exec_t system_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.10/policy/modules/services/cobbler.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.11/policy/modules/services/cobbler.te --- nsaserefpolicy/policy/modules/services/cobbler.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/cobbler.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/cobbler.te 2010-03-03 23:48:01.000000000 -0500 @@ -40,6 +40,7 @@ allow cobblerd_t self:fifo_file rw_fifo_file_perms; allow cobblerd_t self:tcp_socket create_stream_socket_perms; @@ -14014,9 +14105,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb +apache_content_template(cobbler) +manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) +manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.10/policy/modules/services/consolekit.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.11/policy/modules/services/consolekit.fc --- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/consolekit.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/consolekit.fc 2010-03-03 23:48:01.000000000 -0500 @@ -2,4 +2,5 @@ /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) @@ -14024,9 +14115,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons -/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) + +/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.10/policy/modules/services/consolekit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.11/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/consolekit.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/consolekit.if 2010-03-03 23:48:01.000000000 -0500 @@ -57,3 +57,42 @@ read_files_pattern($1, consolekit_log_t, consolekit_log_t) files_search_pids($1) @@ -14070,9 +14161,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.10/policy/modules/services/consolekit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.11/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/consolekit.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/consolekit.te 2010-03-03 23:48:01.000000000 -0500 @@ -16,12 +16,15 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -14158,9 +14249,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + unconfined_ptrace(consolekit_t) unconfined_stream_connect(consolekit_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.10/policy/modules/services/corosync.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.11/policy/modules/services/corosync.fc --- nsaserefpolicy/policy/modules/services/corosync.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/corosync.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/corosync.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,14 @@ + +/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) @@ -14176,9 +14267,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) +/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.10/policy/modules/services/corosync.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.11/policy/modules/services/corosync.if --- nsaserefpolicy/policy/modules/services/corosync.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/corosync.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/corosync.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,108 @@ +## SELinux policy for Corosync Cluster Engine + @@ -14288,9 +14379,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.10/policy/modules/services/corosync.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.11/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/corosync.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/corosync.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,115 @@ + +policy_module(corosync,1.0.0) @@ -14407,9 +14498,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +optional_policy(` + rgmanager_manage_tmpfs_files(corosync_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.10/policy/modules/services/cron.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.11/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/cron.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/cron.fc 2010-03-03 23:48:01.000000000 -0500 @@ -14,7 +14,7 @@ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -14427,9 +14518,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) + +/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.10/policy/modules/services/cron.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.11/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/cron.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/cron.if 2010-03-03 23:48:01.000000000 -0500 @@ -12,6 +12,10 @@ ## # @@ -14580,9 +14671,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron + + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.10/policy/modules/services/cron.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.11/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/cron.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/cron.te 2010-03-03 23:48:01.000000000 -0500 @@ -38,8 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -14860,9 +14951,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron unconfined_domain(system_cronjob_t) userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.10/policy/modules/services/cups.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.11/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/cups.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/cups.fc 2010-03-03 23:48:01.000000000 -0500 @@ -13,10 +13,14 @@ /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) @@ -14909,9 +15000,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.10/policy/modules/services/cups.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.11/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/cups.te 2010-03-01 08:42:24.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/cups.te 2010-03-03 23:48:01.000000000 -0500 @@ -23,6 +23,9 @@ type cupsd_initrc_exec_t; init_script_file(cupsd_initrc_exec_t) @@ -15158,9 +15249,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups dev_read_sysfs(hplip_t) dev_rw_printer(hplip_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.10/policy/modules/services/cvs.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.11/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/cvs.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/cvs.te 2010-03-03 23:48:01.000000000 -0500 @@ -93,6 +93,7 @@ auth_can_read_shadow_passwords(cvs_t) tunable_policy(`allow_cvs_read_shadow',` @@ -15175,9 +15266,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.10/policy/modules/services/cyrus.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.11/policy/modules/services/cyrus.te --- nsaserefpolicy/policy/modules/services/cyrus.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/cyrus.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/cyrus.te 2010-03-03 23:48:01.000000000 -0500 @@ -75,6 +75,7 @@ corenet_tcp_bind_mail_port(cyrus_t) corenet_tcp_bind_lmtp_port(cyrus_t) @@ -15194,9 +15285,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru snmp_read_snmp_var_lib_files(cyrus_t) snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) snmp_stream_connect(cyrus_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.10/policy/modules/services/dbus.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.11/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/dbus.if 2010-03-01 10:27:15.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/dbus.if 2010-03-03 23:48:01.000000000 -0500 @@ -42,8 +42,10 @@ gen_require(` class dbus { send_msg acquire_svc }; @@ -15332,9 +15423,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.10/policy/modules/services/dbus.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.11/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/dbus.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/dbus.te 2010-03-03 23:48:01.000000000 -0500 @@ -86,6 +86,7 @@ dev_read_sysfs(system_dbusd_t) @@ -15393,9 +15484,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + xserver_rw_xdm_pipes(session_bus_type) + xserver_append_xdm_home_files(session_bus_type) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.10/policy/modules/services/dcc.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.11/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/dcc.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/dcc.te 2010-03-03 23:48:01.000000000 -0500 @@ -81,7 +81,7 @@ # dcc daemon controller local policy # @@ -15405,9 +15496,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. allow cdcc_t self:unix_dgram_socket create_socket_perms; allow cdcc_t self:udp_socket create_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.10/policy/modules/services/denyhosts.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.11/policy/modules/services/denyhosts.fc --- nsaserefpolicy/policy/modules/services/denyhosts.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/denyhosts.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/denyhosts.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t, s0) + @@ -15416,9 +15507,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny +/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t, s0) +/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t, s0) +/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.10/policy/modules/services/denyhosts.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.11/policy/modules/services/denyhosts.if --- nsaserefpolicy/policy/modules/services/denyhosts.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/denyhosts.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/denyhosts.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,90 @@ +## Deny Hosts. +## @@ -15510,9 +15601,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny + ps_process_pattern($1, denyhosts_t) + read_lnk_files_pattern($1, denyhosts_t, denyhosts_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.10/policy/modules/services/denyhosts.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.11/policy/modules/services/denyhosts.te --- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/denyhosts.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/denyhosts.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,72 @@ + +policy_module(denyhosts, 1.0.0) @@ -15586,9 +15677,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny +optional_policy(` + cron_system_entry(denyhosts_t, denyhosts_exec_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.10/policy/modules/services/devicekit.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.11/policy/modules/services/devicekit.fc --- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/devicekit.fc 2010-02-25 14:52:32.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/devicekit.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,8 +1,12 @@ /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) @@ -15603,9 +15694,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi -/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.10/policy/modules/services/devicekit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.11/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/devicekit.if 2010-02-25 14:53:23.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/devicekit.if 2010-03-03 23:48:01.000000000 -0500 @@ -139,6 +139,26 @@ ######################################## @@ -15642,9 +15733,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ') allow $1 devicekit_t:process { ptrace signal_perms getattr }; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.10/policy/modules/services/devicekit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.11/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/devicekit.te 2010-02-26 09:03:13.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/devicekit.te 2010-03-03 23:48:01.000000000 -0500 @@ -42,6 +42,8 @@ files_read_etc_files(devicekit_t) @@ -15790,15 +15881,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -@@ -151,6 +194,7 @@ +@@ -151,6 +194,8 @@ kernel_read_system_state(devicekit_power_t) kernel_rw_hotplug_sysctls(devicekit_power_t) kernel_rw_kernel_sysctl(devicekit_power_t) ++kernel_search_debugfs(devicekit_power_t) +kernel_write_proc_files(devicekit_power_t) corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) -@@ -159,7 +203,9 @@ +@@ -159,7 +204,9 @@ domain_read_all_domains_state(devicekit_power_t) @@ -15808,7 +15900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) -@@ -167,12 +213,16 @@ +@@ -167,12 +214,17 @@ files_read_etc_files(devicekit_power_t) files_read_usr_files(devicekit_power_t) @@ -15821,11 +15913,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi miscfiles_read_localization(devicekit_power_t) +sysnet_read_config(devicekit_power_t) ++sysnet_domtrans_ifconfig(devicekit_power_t) + userdom_read_all_users_state(devicekit_power_t) optional_policy(` -@@ -180,6 +230,10 @@ +@@ -180,6 +232,10 @@ ') optional_policy(` @@ -15836,7 +15929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi dbus_system_bus_client(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -203,17 +257,23 @@ +@@ -203,17 +259,23 @@ optional_policy(` hal_domtrans_mac(devicekit_power_t) @@ -15860,9 +15953,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi +optional_policy(` vbetool_domtrans(devicekit_power_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.10/policy/modules/services/dhcp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.11/policy/modules/services/dhcp.te --- nsaserefpolicy/policy/modules/services/dhcp.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/dhcp.te 2010-02-28 10:19:25.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/dhcp.te 2010-03-03 23:48:01.000000000 -0500 @@ -112,6 +112,10 @@ ') @@ -15874,9 +15967,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp dbus_system_bus_client(dhcpd_t) dbus_connect_system_bus(dhcpd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.10/policy/modules/services/djbdns.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.11/policy/modules/services/djbdns.if --- nsaserefpolicy/policy/modules/services/djbdns.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/djbdns.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/djbdns.if 2010-03-03 23:48:01.000000000 -0500 @@ -26,6 +26,8 @@ daemontools_read_svc(djbdns_$1_t) @@ -15926,9 +16019,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd + + allow $1 djbdns_tinydn_t:key link; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.10/policy/modules/services/djbdns.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.11/policy/modules/services/djbdns.te --- nsaserefpolicy/policy/modules/services/djbdns.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/djbdns.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/djbdns.te 2010-03-03 23:48:01.000000000 -0500 @@ -42,3 +42,11 @@ files_search_var(djbdns_axfrdns_t) @@ -15941,9 +16034,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd + +init_dontaudit_use_script_fds(djbdns_tinydns_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.10/policy/modules/services/dnsmasq.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.11/policy/modules/services/dnsmasq.fc --- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/dnsmasq.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/dnsmasq.fc 2010-03-03 23:48:01.000000000 -0500 @@ -6,5 +6,7 @@ /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) @@ -15952,9 +16045,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm + /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.10/policy/modules/services/dnsmasq.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.11/policy/modules/services/dnsmasq.if --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/dnsmasq.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/dnsmasq.if 2010-03-03 23:48:01.000000000 -0500 @@ -111,7 +111,7 @@ type dnsmasq_etc_t; ') @@ -15973,9 +16066,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm files_search_etc($1) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.10/policy/modules/services/dnsmasq.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.11/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/dnsmasq.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/dnsmasq.te 2010-03-03 23:48:01.000000000 -0500 @@ -19,6 +19,9 @@ type dnsmasq_lease_t; files_type(dnsmasq_lease_t) @@ -16031,9 +16124,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm seutil_sigchld_newrole(dnsmasq_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.10/policy/modules/services/dovecot.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.11/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/dovecot.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/dovecot.fc 2010-03-03 23:48:01.000000000 -0500 @@ -34,6 +34,7 @@ /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) @@ -16042,9 +16135,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove /var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.10/policy/modules/services/dovecot.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.11/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/dovecot.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/dovecot.te 2010-03-03 23:48:01.000000000 -0500 @@ -73,14 +73,21 @@ can_exec(dovecot_t, dovecot_exec_t) @@ -16155,23 +16248,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove fs_manage_cifs_files(dovecot_t) fs_manage_cifs_symlinks(dovecot_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.10/policy/modules/services/exim.te ---- nsaserefpolicy/policy/modules/services/exim.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/exim.te 2010-02-23 15:54:38.000000000 -0500 -@@ -192,6 +192,10 @@ - ') - - optional_policy(` -+ sendmail_manage_tmp_files(exim_t) -+') -+ -+optional_policy(` - spamassassin_exec(exim_t) - spamassassin_exec_client(exim_t) - ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.10/policy/modules/services/fail2ban.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.11/policy/modules/services/fail2ban.if --- nsaserefpolicy/policy/modules/services/fail2ban.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/fail2ban.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/fail2ban.if 2010-03-03 23:48:01.000000000 -0500 @@ -98,6 +98,46 @@ allow $1 fail2ban_var_run_t:file read_file_perms; ') @@ -16241,9 +16320,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail + + allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.10/policy/modules/services/fetchmail.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.11/policy/modules/services/fetchmail.te --- nsaserefpolicy/policy/modules/services/fetchmail.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/fetchmail.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/fetchmail.te 2010-03-03 23:48:01.000000000 -0500 @@ -48,6 +48,7 @@ kernel_dontaudit_read_system_state(fetchmail_t) @@ -16252,9 +16331,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc corenet_all_recvfrom_unlabeled(fetchmail_t) corenet_all_recvfrom_netlabel(fetchmail_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.10/policy/modules/services/fprintd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.11/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/fprintd.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/fprintd.te 2010-03-03 23:48:01.000000000 -0500 @@ -55,4 +55,6 @@ policykit_read_lib(fprintd_t) policykit_dbus_chat(fprintd_t) @@ -16262,9 +16341,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri + policykit_dbus_chat_auth(fprintd_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.7.10/policy/modules/services/ftp.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.7.11/policy/modules/services/ftp.fc --- nsaserefpolicy/policy/modules/services/ftp.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/ftp.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ftp.fc 2010-03-03 23:48:01.000000000 -0500 @@ -22,7 +22,7 @@ # # /var @@ -16274,9 +16353,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.10/policy/modules/services/ftp.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.11/policy/modules/services/ftp.if --- nsaserefpolicy/policy/modules/services/ftp.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/ftp.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ftp.if 2010-03-03 23:48:01.000000000 -0500 @@ -115,6 +115,44 @@ role $2 types ftpdctl_t; ') @@ -16322,9 +16401,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ######################################## ## ## All of the rules required to administrate -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.10/policy/modules/services/ftp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.11/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/ftp.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ftp.te 2010-03-03 23:48:01.000000000 -0500 @@ -41,11 +41,51 @@ ## @@ -16573,9 +16652,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. + fs_read_nfs_files(sftpd_t) + fs_read_nfs_symlinks(ftpd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.10/policy/modules/services/git.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.11/policy/modules/services/git.fc --- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/git.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/git.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,3 +1,16 @@ -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0) -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) @@ -16596,9 +16675,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. + +/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.10/policy/modules/services/git.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.11/policy/modules/services/git.if --- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/git.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/git.if 2010-03-03 23:48:01.000000000 -0500 @@ -1 +1,535 @@ -## GIT revision control system +## Git - Fast Version Control System. @@ -17136,9 +17215,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. + userdom_search_user_home_dirs($1) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.10/policy/modules/services/git.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.11/policy/modules/services/git.te --- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/git.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/git.te 2010-03-03 23:48:01.000000000 -0500 @@ -1,9 +1,182 @@ -policy_module(git, 1.0) @@ -17325,9 +17404,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. -apache_content_template(git) +#git_role_template(git_shell) +#gen_user(git_shell_u, user, git_shell_r, s0, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.10/policy/modules/services/gpsd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.11/policy/modules/services/gpsd.te --- nsaserefpolicy/policy/modules/services/gpsd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/gpsd.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/gpsd.te 2010-03-03 23:48:01.000000000 -0500 @@ -25,7 +25,7 @@ # gpsd local policy # @@ -17337,9 +17416,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd allow gpsd_t self:process setsched; allow gpsd_t self:shm create_shm_perms; allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.10/policy/modules/services/hal.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.11/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/hal.te 2010-03-01 08:44:41.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/hal.te 2010-03-03 23:48:01.000000000 -0500 @@ -55,6 +55,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -17443,9 +17522,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ######################################## # # Local hald dccm policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.10/policy/modules/services/howl.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.11/policy/modules/services/howl.te --- nsaserefpolicy/policy/modules/services/howl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/howl.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/howl.te 2010-03-03 23:48:01.000000000 -0500 @@ -30,7 +30,7 @@ kernel_read_network_state(howl_t) @@ -17455,9 +17534,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl kernel_list_proc(howl_t) kernel_read_proc_symlinks(howl_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.fc serefpolicy-3.7.10/policy/modules/services/icecast.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.fc serefpolicy-3.7.11/policy/modules/services/icecast.fc --- nsaserefpolicy/policy/modules/services/icecast.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/icecast.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/icecast.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/icecast -- gen_context(system_u:object_r:icecast_initrc_exec_t,s0) + @@ -17466,9 +17545,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec +/var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_log_t,s0) + +/var/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.10/policy/modules/services/icecast.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.11/policy/modules/services/icecast.if --- nsaserefpolicy/policy/modules/services/icecast.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/icecast.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/icecast.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,199 @@ + +## ShoutCast compatible streaming media server @@ -17669,9 +17748,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec + icecast_manage_log($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.10/policy/modules/services/icecast.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.11/policy/modules/services/icecast.te --- nsaserefpolicy/policy/modules/services/icecast.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/icecast.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/icecast.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,59 @@ +policy_module(icecast,1.0.0) + @@ -17732,9 +17811,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec +optional_policy(` + rtkit_daemon_system_domain(icecast_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.7.10/policy/modules/services/inn.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.7.11/policy/modules/services/inn.te --- nsaserefpolicy/policy/modules/services/inn.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/inn.te 2010-03-01 09:16:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/inn.te 2010-03-03 23:48:01.000000000 -0500 @@ -106,6 +106,7 @@ userdom_dontaudit_use_unpriv_user_fds(innd_t) @@ -17743,9 +17822,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn. mta_send_mail(innd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.10/policy/modules/services/kerberos.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.11/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/kerberos.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/kerberos.if 2010-03-03 23:48:01.000000000 -0500 @@ -74,7 +74,7 @@ ') @@ -17766,9 +17845,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb tunable_policy(`allow_kerberos',` allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.10/policy/modules/services/kerberos.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.11/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/kerberos.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/kerberos.te 2010-03-03 23:48:01.000000000 -0500 @@ -112,6 +112,7 @@ kernel_read_kernel_sysctls(kadmind_t) @@ -17786,18 +17865,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb allow kpropd_t krb5_keytab_t:file read_file_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.10/policy/modules/services/ksmtuned.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.11/policy/modules/services/ksmtuned.fc --- nsaserefpolicy/policy/modules/services/ksmtuned.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/ksmtuned.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ksmtuned.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,5 @@ +/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0) + +/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) + +/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.10/policy/modules/services/ksmtuned.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.11/policy/modules/services/ksmtuned.if --- nsaserefpolicy/policy/modules/services/ksmtuned.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/ksmtuned.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ksmtuned.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,76 @@ + +## policy for Kernel Samepage Merging (KSM) Tuning Daemon @@ -17875,9 +17954,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt + allow $2 system_r; + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.10/policy/modules/services/ksmtuned.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.11/policy/modules/services/ksmtuned.te --- nsaserefpolicy/policy/modules/services/ksmtuned.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/ksmtuned.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ksmtuned.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,44 @@ +policy_module(ksmtuned,1.0.0) + @@ -17923,9 +18002,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt +files_read_etc_files(ksmtuned_t) + +miscfiles_read_localization(ksmtuned_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.10/policy/modules/services/ldap.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.11/policy/modules/services/ldap.fc --- nsaserefpolicy/policy/modules/services/ldap.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/ldap.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ldap.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,8 +1,12 @@ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) @@ -17952,9 +18031,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.10/policy/modules/services/ldap.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.11/policy/modules/services/ldap.if --- nsaserefpolicy/policy/modules/services/ldap.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/ldap.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ldap.if 2010-03-03 23:48:01.000000000 -0500 @@ -1,5 +1,43 @@ ## OpenLDAP directory server @@ -17999,10 +18078,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap ######################################## ## ## Read the contents of the OpenLDAP -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.10/policy/modules/services/ldap.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.11/policy/modules/services/ldap.te --- nsaserefpolicy/policy/modules/services/ldap.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/ldap.te 2010-02-23 15:54:38.000000000 -0500 -@@ -28,6 +28,9 @@ ++++ serefpolicy-3.7.11/policy/modules/services/ldap.te 2010-03-03 23:48:01.000000000 -0500 +@@ -28,9 +28,15 @@ type slapd_replog_t; files_type(slapd_replog_t) @@ -18012,7 +18091,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap type slapd_tmp_t; files_tmp_file(slapd_tmp_t) -@@ -68,6 +71,10 @@ ++type slapd_tmpfs_t; ++files_tmpfs_file(slapd_tmpfs_t) ++ + type slapd_var_run_t; + files_pid_file(slapd_var_run_t) + +@@ -68,10 +74,17 @@ manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) @@ -18023,9 +18108,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.10/policy/modules/services/lircd.te + ++manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t) ++fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t,file) ++ + manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) + manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) + files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file }) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.11/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/lircd.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/lircd.te 2010-03-03 23:48:01.000000000 -0500 @@ -24,8 +24,11 @@ # lircd local policy # @@ -18074,9 +18166,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc + +sysnet_dns_name_resolve(lircd_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.7.10/policy/modules/services/mailman.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.7.11/policy/modules/services/mailman.fc --- nsaserefpolicy/policy/modules/services/mailman.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/mailman.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/mailman.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,4 +1,4 @@ -/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) @@ -18098,9 +18190,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.10/policy/modules/services/memcached.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.11/policy/modules/services/memcached.te --- nsaserefpolicy/policy/modules/services/memcached.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/memcached.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/memcached.te 2010-03-03 23:48:01.000000000 -0500 @@ -22,9 +22,12 @@ # @@ -18131,9 +18223,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc +term_dontaudit_use_all_ptys(memcached_t) +term_dontaudit_use_all_ttys(memcached_t) +term_dontaudit_use_console(memcached_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.10/policy/modules/services/modemmanager.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.11/policy/modules/services/modemmanager.te --- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/modemmanager.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/modemmanager.te 2010-03-03 23:48:01.000000000 -0500 @@ -16,8 +16,8 @@ # # ModemManager local policy @@ -18153,9 +18245,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode term_use_unallocated_ttys(modemmanager_t) miscfiles_read_localization(modemmanager_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.10/policy/modules/services/mta.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.11/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/mta.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/mta.fc 2010-03-03 23:48:01.000000000 -0500 @@ -13,6 +13,8 @@ /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -18165,9 +18257,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.10/policy/modules/services/mta.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.11/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/mta.if 2010-02-26 14:53:51.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/mta.if 2010-03-03 23:48:01.000000000 -0500 @@ -220,6 +220,25 @@ application_executable_file($1) ') @@ -18283,9 +18375,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## Read the mail queue. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.10/policy/modules/services/mta.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.11/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/mta.te 2010-02-25 08:06:42.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/mta.te 2010-03-03 23:48:01.000000000 -0500 @@ -63,6 +63,9 @@ can_exec(system_mail_t, mta_exec_type) @@ -18359,9 +18451,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t) read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.10/policy/modules/services/munin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.11/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/munin.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/munin.fc 2010-03-03 23:48:01.000000000 -0500 @@ -9,3 +9,6 @@ /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) @@ -18369,9 +18461,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni +/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.10/policy/modules/services/munin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.11/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/munin.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/munin.te 2010-03-03 23:48:01.000000000 -0500 @@ -33,7 +33,7 @@ # Local policy # @@ -18413,9 +18505,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.10/policy/modules/services/mysql.if ---- nsaserefpolicy/policy/modules/services/mysql.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/mysql.if 2010-02-23 15:54:38.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.11/policy/modules/services/mysql.if +--- nsaserefpolicy/policy/modules/services/mysql.if 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/mysql.if 2010-03-03 23:48:01.000000000 -0500 @@ -1,5 +1,43 @@ ## Policy for MySQL @@ -18460,12 +18552,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq ######################################## ## ## Send a generic signal to MySQL. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.10/policy/modules/services/mysql.te ---- nsaserefpolicy/policy/modules/services/mysql.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/mysql.te 2010-02-23 15:54:38.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.11/policy/modules/services/mysql.te +--- nsaserefpolicy/policy/modules/services/mysql.te 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/mysql.te 2010-03-03 23:48:01.000000000 -0500 @@ -1,6 +1,13 @@ - policy_module(mysql, 1.11.1) + policy_module(mysql, 1.11.2) +## +##

@@ -18477,7 +18569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq ######################################## # # Declarations -@@ -37,7 +44,7 @@ +@@ -47,7 +54,7 @@ # Local policy # @@ -18486,7 +18578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq dontaudit mysqld_t self:capability sys_tty_config; allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; allow mysqld_t self:fifo_file rw_fifo_file_perms; -@@ -109,6 +116,11 @@ +@@ -120,6 +127,11 @@ # for /root/.my.cnf - should not be needed: userdom_read_user_home_content_files(mysqld_t) @@ -18498,7 +18590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq ifdef(`distro_redhat',` # because Fedora has the sock_file in the database directory type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t; -@@ -131,20 +143,26 @@ +@@ -142,20 +154,26 @@ # Local mysqld_safe policy # @@ -18527,7 +18619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq dev_list_sysfs(mysqld_safe_t) -@@ -158,6 +176,7 @@ +@@ -169,6 +187,7 @@ miscfiles_read_localization(mysqld_safe_t) mysql_manage_db_files(mysqld_safe_t) @@ -18535,9 +18627,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq mysql_read_config(mysqld_safe_t) mysql_search_pid_files(mysqld_safe_t) mysql_write_log(mysqld_safe_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.10/policy/modules/services/nagios.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.11/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/nagios.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/nagios.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,16 +1,89 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) @@ -18633,9 +18725,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + +# unconfined plugins +/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.10/policy/modules/services/nagios.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.11/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/nagios.if 2010-02-26 15:37:58.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/nagios.if 2010-03-03 23:48:01.000000000 -0500 @@ -64,8 +64,8 @@ ######################################## @@ -18799,9 +18891,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + + admin_pattern($1, nrpe_etc_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.10/policy/modules/services/nagios.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.11/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/nagios.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/nagios.te 2010-03-03 23:48:01.000000000 -0500 @@ -6,17 +6,23 @@ # Declarations # @@ -19186,9 +19278,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +optional_policy(` + init_read_utmp(nagios_system_plugin_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.10/policy/modules/services/networkmanager.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.11/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/networkmanager.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/networkmanager.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,12 +1,32 @@ +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -19222,9 +19314,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.10/policy/modules/services/networkmanager.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.11/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/networkmanager.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/networkmanager.if 2010-03-03 23:48:01.000000000 -0500 @@ -118,6 +118,24 @@ ######################################## @@ -19301,9 +19393,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + role $2 types NetworkManager_t; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.10/policy/modules/services/networkmanager.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.11/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/networkmanager.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/networkmanager.te 2010-03-03 23:48:01.000000000 -0500 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -19547,9 +19639,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.10/policy/modules/services/nis.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.11/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/nis.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/nis.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,4 +1,7 @@ - +/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) @@ -19568,9 +19660,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. +/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) +/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) +/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.10/policy/modules/services/nis.if ---- nsaserefpolicy/policy/modules/services/nis.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/nis.if 2010-02-23 15:54:38.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.11/policy/modules/services/nis.if +--- nsaserefpolicy/policy/modules/services/nis.if 2010-03-03 23:26:37.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/nis.if 2010-03-03 23:48:01.000000000 -0500 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -19580,7 +19672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. allow $1 self:tcp_socket create_stream_socket_perms; allow $1 self:udp_socket create_socket_perms; -@@ -76,6 +76,10 @@ +@@ -88,6 +88,10 @@ ## # interface(`nis_use_ypbind',` @@ -19591,16 +19683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. tunable_policy(`allow_ypbind',` nis_use_ypbind_uncond($1) ') -@@ -87,7 +91,7 @@ - ##

- ## - ## --## Domain allowed access. -+## The type of the process performing this action. - ## - ## - ## -@@ -262,6 +266,43 @@ +@@ -274,6 +278,43 @@ ######################################## ## @@ -19644,29 +19727,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. ## All of the rules required to administrate ## an nis environment ## -@@ -272,16 +313,19 @@ - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the nis domain. - ## - ## - ## - # - interface(`nis_admin',` - gen_require(` -- type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; -+ type ypbind_t, yppasswdd_t; -+ type ypserv_t, ypxfr_t; +@@ -294,6 +335,7 @@ + type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; -+ type ypbind_initrc_exec_t; -+ type nis_initrc_exec_t; ++ type ypbind_initrc_exec_t, nis_initrc_exec_t; ') allow $1 ypbind_t:process { ptrace signal_perms }; -@@ -296,6 +340,13 @@ +@@ -308,6 +350,13 @@ allow $1 ypxfr_t:process { ptrace signal_perms }; ps_process_pattern($1, ypxfr_t) @@ -19680,7 +19749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. files_list_tmp($1) admin_pattern($1, ypbind_tmp_t) -@@ -311,3 +362,31 @@ +@@ -323,3 +372,30 @@ admin_pattern($1, ypserv_var_run_t) ') @@ -19711,10 +19780,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. + nis_domtrans_ypbind($1) + role $2 types ypbind_t; +') -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.10/policy/modules/services/nis.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.11/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/nis.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/nis.te 2010-03-03 23:48:01.000000000 -0500 @@ -13,6 +13,9 @@ type ypbind_exec_t; init_daemon_domain(ypbind_t, ypbind_exec_t) @@ -19786,9 +19854,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. corenet_tcp_bind_all_rpc_ports(ypxfr_t) corenet_udp_bind_all_rpc_ports(ypxfr_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.10/policy/modules/services/nscd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.11/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/nscd.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/nscd.if 2010-03-03 23:48:01.000000000 -0500 @@ -121,6 +121,24 @@ ######################################## @@ -19823,9 +19891,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.10/policy/modules/services/nscd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.11/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/nscd.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/nscd.te 2010-03-03 23:48:01.000000000 -0500 @@ -1,10 +1,17 @@ -policy_module(nscd, 1.10.0) @@ -19870,9 +19938,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd +optional_policy(` + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.10/policy/modules/services/ntop.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.11/policy/modules/services/ntop.fc --- nsaserefpolicy/policy/modules/services/ntop.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/ntop.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ntop.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,7 +1,6 @@ /etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0) @@ -19881,9 +19949,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop /var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0) /var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.10/policy/modules/services/ntop.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.11/policy/modules/services/ntop.te --- nsaserefpolicy/policy/modules/services/ntop.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/ntop.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ntop.te 2010-03-03 23:48:01.000000000 -0500 @@ -11,12 +11,12 @@ init_daemon_domain(ntop_t, ntop_exec_t) application_domain(ntop_t, ntop_exec_t) @@ -19974,9 +20042,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop seutil_sigchld_newrole(ntop_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.10/policy/modules/services/ntp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.11/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/ntp.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ntp.te 2010-03-03 23:48:01.000000000 -0500 @@ -100,6 +100,8 @@ fs_getattr_all_fs(ntpd_t) @@ -19986,9 +20054,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. term_use_ptmx(ntpd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.10/policy/modules/services/nut.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.11/policy/modules/services/nut.te --- nsaserefpolicy/policy/modules/services/nut.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/nut.te 2010-02-26 08:33:54.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/nut.te 2010-03-03 23:48:01.000000000 -0500 @@ -29,7 +29,8 @@ # Local policy for upsd # @@ -20031,9 +20099,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut. + + sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.10/policy/modules/services/nx.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.11/policy/modules/services/nx.fc --- nsaserefpolicy/policy/modules/services/nx.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/nx.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/nx.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,7 +1,15 @@ /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) @@ -20052,9 +20120,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.f +/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) + /usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.10/policy/modules/services/nx.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.11/policy/modules/services/nx.if --- nsaserefpolicy/policy/modules/services/nx.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/nx.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/nx.if 2010-03-03 23:48:01.000000000 -0500 @@ -17,3 +17,70 @@ spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) @@ -20126,9 +20194,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.i + + filetrans_pattern($1, nx_server_var_lib_t, $2, $3) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.10/policy/modules/services/nx.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.11/policy/modules/services/nx.te --- nsaserefpolicy/policy/modules/services/nx.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/nx.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/nx.te 2010-03-03 23:48:01.000000000 -0500 @@ -25,6 +25,12 @@ type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) @@ -20163,9 +20231,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.t kernel_read_system_state(nx_server_t) kernel_read_kernel_sysctls(nx_server_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.10/policy/modules/services/oddjob.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.11/policy/modules/services/oddjob.if --- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/oddjob.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/oddjob.if 2010-03-03 23:48:01.000000000 -0500 @@ -44,6 +44,7 @@ ') @@ -20174,9 +20242,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.10/policy/modules/services/oddjob.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.11/policy/modules/services/oddjob.te --- nsaserefpolicy/policy/modules/services/oddjob.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/oddjob.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/oddjob.te 2010-03-03 23:48:01.000000000 -0500 @@ -100,8 +100,7 @@ # Add/remove user home directories @@ -20188,9 +20256,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj +userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) +userdom_manage_user_home_content(oddjob_mkhomedir_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.10/policy/modules/services/openvpn.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.11/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/openvpn.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/openvpn.te 2010-03-03 23:48:01.000000000 -0500 @@ -41,7 +41,7 @@ # openvpn local policy # @@ -20226,9 +20294,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open sysnet_etc_filetrans_config(openvpn_t) userdom_use_user_terminals(openvpn_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.10/policy/modules/services/pcscd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.11/policy/modules/services/pcscd.if --- nsaserefpolicy/policy/modules/services/pcscd.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/pcscd.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/pcscd.if 2010-03-03 23:48:01.000000000 -0500 @@ -39,6 +39,44 @@ ######################################## @@ -20274,9 +20342,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc ## Connect to pcscd over an unix stream socket. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.10/policy/modules/services/pegasus.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.11/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/pegasus.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/pegasus.te 2010-03-03 23:48:01.000000000 -0500 @@ -30,7 +30,7 @@ # Local policy # @@ -20348,9 +20416,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.10/policy/modules/services/plymouthd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.11/policy/modules/services/plymouthd.fc --- nsaserefpolicy/policy/modules/services/plymouthd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/plymouthd.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/plymouthd.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,9 @@ +/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0) + @@ -20361,9 +20429,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym +/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t, s0) + +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.10/policy/modules/services/plymouthd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.11/policy/modules/services/plymouthd.if --- nsaserefpolicy/policy/modules/services/plymouthd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/plymouthd.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/plymouthd.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,322 @@ +## policy for plymouthd + @@ -20687,9 +20755,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym + + allow $1 plymouthd_t:unix_stream_socket connectto; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.10/policy/modules/services/plymouthd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.11/policy/modules/services/plymouthd.te --- nsaserefpolicy/policy/modules/services/plymouthd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/plymouthd.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/plymouthd.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,105 @@ +policy_module(plymouthd, 1.0.0) + @@ -20796,9 +20864,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym + hal_dontaudit_rw_pipes(plymouth_t) +') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.10/policy/modules/services/policykit.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.11/policy/modules/services/policykit.fc --- nsaserefpolicy/policy/modules/services/policykit.fc 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/policykit.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/policykit.fc 2010-03-03 23:48:01.000000000 -0500 @@ -6,10 +6,13 @@ /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) @@ -20814,9 +20882,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.10/policy/modules/services/policykit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.11/policy/modules/services/policykit.if --- nsaserefpolicy/policy/modules/services/policykit.if 2009-08-18 18:39:50.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/policykit.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/policykit.if 2010-03-03 23:48:01.000000000 -0500 @@ -17,12 +17,37 @@ class dbus send_msg; ') @@ -20913,9 +20981,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli + + allow $1 policykit_auth_t:process signal; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.10/policy/modules/services/policykit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.11/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/policykit.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/policykit.te 2010-03-03 23:48:01.000000000 -0500 @@ -36,11 +36,12 @@ # policykit local policy # @@ -20948,7 +21016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli auth_use_nsswitch(policykit_t) -@@ -68,21 +73,42 @@ +@@ -68,21 +73,43 @@ miscfiles_read_localization(policykit_t) @@ -20981,7 +21049,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli -allow policykit_auth_t self:process getattr; -allow policykit_auth_t self:fifo_file rw_file_perms; +allow policykit_auth_t self:capability { setgid setuid }; -+allow policykit_auth_t self:process { getattr getsched }; ++dontaudit policykit_auth_t self:capability sys_tty_config; ++allow policykit_auth_t self:process { getattr getsched signal }; +allow policykit_auth_t self:fifo_file rw_fifo_file_perms; + allow policykit_auth_t self:unix_dgram_socket create_socket_perms; @@ -20995,7 +21064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) -@@ -92,21 +118,29 @@ +@@ -92,21 +119,29 @@ manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) @@ -21027,7 +21096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -119,6 +153,14 @@ +@@ -119,6 +154,14 @@ hal_read_state(policykit_auth_t) ') @@ -21042,7 +21111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli ######################################## # # polkit_grant local policy -@@ -126,7 +168,8 @@ +@@ -126,7 +169,8 @@ allow policykit_grant_t self:capability setuid; allow policykit_grant_t self:process getattr; @@ -21052,7 +21121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -156,9 +199,12 @@ +@@ -156,9 +200,12 @@ userdom_read_all_users_state(policykit_grant_t) optional_policy(` @@ -21066,7 +21135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -170,7 +216,8 @@ +@@ -170,7 +217,8 @@ allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; allow policykit_resolve_t self:process getattr; @@ -21076,9 +21145,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.10/policy/modules/services/portreserve.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.11/policy/modules/services/portreserve.te --- nsaserefpolicy/policy/modules/services/portreserve.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/portreserve.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/portreserve.te 2010-03-03 23:48:01.000000000 -0500 @@ -21,6 +21,7 @@ # Portreserve local policy # @@ -21096,9 +21165,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port corenet_all_recvfrom_unlabeled(portreserve_t) corenet_all_recvfrom_netlabel(portreserve_t) corenet_tcp_bind_generic_node(portreserve_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.10/policy/modules/services/postfix.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.11/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/postfix.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/postfix.fc 2010-03-03 23:48:01.000000000 -0500 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -21112,9 +21181,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.10/policy/modules/services/postfix.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.11/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/postfix.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/postfix.if 2010-03-03 23:48:01.000000000 -0500 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -21409,9 +21478,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + role $2 types postfix_postdrop_t; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.10/policy/modules/services/postfix.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.11/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/postfix.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/postfix.te 2010-03-03 23:48:01.000000000 -0500 @@ -6,6 +6,15 @@ # Declarations # @@ -21812,9 +21881,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.10/policy/modules/services/postgresql.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.11/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/postgresql.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/postgresql.fc 2010-03-03 23:48:01.000000000 -0500 @@ -3,6 +3,7 @@ # /etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0) @@ -21841,9 +21910,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) + +/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.10/policy/modules/services/postgresql.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.11/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/postgresql.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/postgresql.if 2010-03-03 23:48:01.000000000 -0500 @@ -125,6 +125,23 @@ typeattribute $1 sepgsql_table_type; ') @@ -21868,9 +21937,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## ## ## Marks as a SE-PostgreSQL system table/column/tuple object type -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.10/policy/modules/services/postgresql.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.11/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/postgresql.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/postgresql.te 2010-03-03 23:48:01.000000000 -0500 @@ -150,6 +150,7 @@ dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; allow postgresql_t self:process signal_perms; @@ -21905,9 +21974,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post miscfiles_read_localization(postgresql_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.7.10/policy/modules/services/ppp.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.7.11/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/ppp.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ppp.fc 2010-03-03 23:48:01.000000000 -0500 @@ -3,6 +3,7 @@ # /etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) @@ -21916,9 +21985,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. /etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) /etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) /etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.10/policy/modules/services/ppp.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.11/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/ppp.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ppp.if 2010-03-03 23:48:01.000000000 -0500 @@ -182,6 +182,10 @@ ppp_domtrans($1) role $2 types pppd_t; @@ -21930,9 +21999,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.10/policy/modules/services/ppp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.11/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/ppp.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ppp.te 2010-03-03 23:48:01.000000000 -0500 @@ -71,9 +71,9 @@ # PPPD Local policy # @@ -21970,9 +22039,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. optional_policy(` consoletype_exec(pppd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.10/policy/modules/services/prelude.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.11/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/prelude.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/prelude.te 2010-03-03 23:48:01.000000000 -0500 @@ -90,6 +90,7 @@ corenet_tcp_bind_prelude_port(prelude_t) corenet_tcp_connect_prelude_port(prelude_t) @@ -21990,9 +22059,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel fs_rw_anon_inodefs_files(prelude_lml_t) auth_use_nsswitch(prelude_lml_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.10/policy/modules/services/procmail.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.11/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/procmail.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/procmail.te 2010-03-03 23:48:01.000000000 -0500 @@ -22,7 +22,7 @@ # Local policy # @@ -22040,9 +22109,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.10/policy/modules/services/pyzor.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.11/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/pyzor.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/pyzor.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,6 +1,10 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) @@ -22054,9 +22123,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.10/policy/modules/services/pyzor.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.11/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/pyzor.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/pyzor.if 2010-03-03 23:48:01.000000000 -0500 @@ -88,3 +88,50 @@ corecmd_search_bin($1) can_exec($1, pyzor_exec_t) @@ -22108,9 +22177,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.10/policy/modules/services/pyzor.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.11/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/pyzor.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/pyzor.te 2010-03-03 23:48:01.000000000 -0500 @@ -6,6 +6,38 @@ # Declarations # @@ -22175,9 +22244,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.10/policy/modules/services/radvd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.11/policy/modules/services/radvd.te --- nsaserefpolicy/policy/modules/services/radvd.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/radvd.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/radvd.te 2010-03-03 23:48:01.000000000 -0500 @@ -22,9 +22,9 @@ # # Local policy @@ -22213,17 +22282,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radv seutil_sigchld_newrole(radvd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.10/policy/modules/services/razor.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.11/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/razor.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/razor.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,3 +1,4 @@ +/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.10/policy/modules/services/razor.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.11/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/razor.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/razor.if 2010-03-03 23:48:01.000000000 -0500 @@ -157,3 +157,45 @@ domtrans_pattern($1, razor_exec_t, razor_t) @@ -22270,9 +22339,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.10/policy/modules/services/razor.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.11/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/razor.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/razor.te 2010-03-03 23:48:01.000000000 -0500 @@ -6,6 +6,32 @@ # Declarations # @@ -22324,9 +22393,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo +') + ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.10/policy/modules/services/rdisc.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.11/policy/modules/services/rdisc.if --- nsaserefpolicy/policy/modules/services/rdisc.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/rdisc.if 2010-02-26 08:34:00.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/rdisc.if 2010-03-03 23:48:01.000000000 -0500 @@ -1 +1,20 @@ ## Network router discovery daemon + @@ -22348,9 +22417,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdis + corecmd_search_bin($1) + can_exec($1,rdisc_exec_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.10/policy/modules/services/rgmanager.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.11/policy/modules/services/rgmanager.fc --- nsaserefpolicy/policy/modules/services/rgmanager.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/rgmanager.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/rgmanager.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,8 @@ + +/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) @@ -22360,9 +22429,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) + +/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.10/policy/modules/services/rgmanager.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.11/policy/modules/services/rgmanager.if --- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/rgmanager.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/rgmanager.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,98 @@ +## SELinux policy for rgmanager + @@ -22462,9 +22531,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) + manage_lnk_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.10/policy/modules/services/rgmanager.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.11/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/rgmanager.te 2010-02-26 11:53:19.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/rgmanager.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,223 @@ + +policy_module(rgmanager,1.0.0) @@ -22689,9 +22758,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +optional_policy(` + xen_domtrans_xm(rgmanager_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.10/policy/modules/services/rhcs.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.11/policy/modules/services/rhcs.fc --- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/rhcs.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/rhcs.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,23 @@ +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) +/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) @@ -22716,9 +22785,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) +/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.10/policy/modules/services/rhcs.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.11/policy/modules/services/rhcs.if --- nsaserefpolicy/policy/modules/services/rhcs.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/rhcs.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/rhcs.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,424 @@ +## SELinux policy for RHCS - Red Hat Cluster Suite + @@ -23144,9 +23213,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.10/policy/modules/services/rhcs.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.11/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/rhcs.te 2010-02-26 11:55:16.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/rhcs.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,248 @@ + +policy_module(rhcs,1.1.0) @@ -23396,9 +23465,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +optional_policy(` + corosync_stream_connect(cluster_domain) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.10/policy/modules/services/ricci.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.11/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/ricci.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ricci.te 2010-03-04 09:03:39.000000000 -0500 @@ -194,10 +194,13 @@ # ricci_modcluster local policy # @@ -23437,7 +23506,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc # XXX This has got to go. unconfined_domain(ricci_modcluster_t) ') -@@ -264,6 +276,7 @@ +@@ -259,11 +271,11 @@ + allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms; + allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms; + allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms; +-allow ricci_modclusterd_t self:netlink_route_socket r_netlink_socket_perms; + # cjp: this needs to be fixed for a specific socket type: allow ricci_modclusterd_t self:socket create_socket_perms; allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; @@ -23445,18 +23519,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc # log files allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; -@@ -306,12 +319,21 @@ - sysnet_dns_name_resolve(ricci_modclusterd_t) +@@ -294,6 +306,8 @@ - optional_policy(` -+ aisexec_stream_connect(ricci_modclusterd_t) -+ corosync_stream_connect(ricci_modclusterd_t) -+') + fs_getattr_xattr_fs(ricci_modclusterd_t) + ++auth_use_nsswitch(ricci_modclusterd_t) ++ + init_stream_connect_script(ricci_modclusterd_t) + + locallogin_dontaudit_use_fds(ricci_modclusterd_t) +@@ -303,7 +317,11 @@ + miscfiles_read_localization(ricci_modclusterd_t) + + sysnet_domtrans_ifconfig(ricci_modclusterd_t) +-sysnet_dns_name_resolve(ricci_modclusterd_t) + +optional_policy(` ++ aisexec_stream_connect(ricci_modclusterd_t) ++ corosync_stream_connect(ricci_modclusterd_t) ++') + + optional_policy(` ccs_domtrans(ricci_modclusterd_t) - ccs_stream_connect(ricci_modclusterd_t) - ccs_read_config(ricci_modclusterd_t) +@@ -312,6 +330,10 @@ ') optional_policy(` @@ -23491,9 +23576,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc ccs_stream_connect(ricci_modstorage_t) ccs_read_config(ricci_modstorage_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.10/policy/modules/services/rpc.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.11/policy/modules/services/rpc.fc --- nsaserefpolicy/policy/modules/services/rpc.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/rpc.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/rpc.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,6 +1,10 @@ # # /etc @@ -23505,9 +23590,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. /etc/exports -- gen_context(system_u:object_r:exports_t,s0) # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.10/policy/modules/services/rpc.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.11/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/rpc.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/rpc.if 2010-03-03 23:48:01.000000000 -0500 @@ -54,7 +54,7 @@ allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; @@ -23601,9 +23686,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + allow $1 var_lib_nfs_t:file { relabelfrom relabelto }; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.10/policy/modules/services/rpc.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.11/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/rpc.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/rpc.te 2010-03-03 23:48:01.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -23738,9 +23823,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.10/policy/modules/services/rsync.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.11/policy/modules/services/rsync.if --- nsaserefpolicy/policy/modules/services/rsync.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/rsync.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/rsync.if 2010-03-03 23:48:01.000000000 -0500 @@ -119,7 +119,7 @@ type rsync_etc_t; ') @@ -23758,9 +23843,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn + write_files_pattern($1, rsync_etc_t, rsync_etc_t) files_search_etc($1) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.10/policy/modules/services/rsync.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.11/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/rsync.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/rsync.te 2010-03-03 23:48:01.000000000 -0500 @@ -8,6 +8,13 @@ ## @@ -23812,9 +23897,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn +') + auth_can_read_shadow_passwords(rsync_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.10/policy/modules/services/rtkit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.11/policy/modules/services/rtkit.if --- nsaserefpolicy/policy/modules/services/rtkit.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/rtkit.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/rtkit.if 2010-03-03 23:48:01.000000000 -0500 @@ -38,3 +38,23 @@ allow $1 rtkit_daemon_t:dbus send_msg; allow rtkit_daemon_t $1:dbus send_msg; @@ -23839,9 +23924,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki + allow rtkit_daemon_t $1:process { getsched setsched }; + rtkit_daemon_dbus_chat($1) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.10/policy/modules/services/rtkit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.11/policy/modules/services/rtkit.te --- nsaserefpolicy/policy/modules/services/rtkit.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/rtkit.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/rtkit.te 2010-03-03 23:48:01.000000000 -0500 @@ -17,9 +17,11 @@ allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; @@ -23863,9 +23948,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki optional_policy(` policykit_dbus_chat(rtkit_daemon_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.10/policy/modules/services/samba.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.11/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/samba.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/samba.fc 2010-03-03 23:48:01.000000000 -0500 @@ -51,3 +51,7 @@ /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) @@ -23874,9 +23959,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +ifndef(`enable_mls',` +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.10/policy/modules/services/samba.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.11/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/samba.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/samba.if 2010-03-03 23:48:01.000000000 -0500 @@ -62,6 +62,25 @@ ######################################## @@ -24090,9 +24175,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb admin_pattern($1, winbind_var_run_t) + admin_pattern($1, samba_unconfined_script_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.10/policy/modules/services/samba.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.11/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/samba.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/samba.te 2010-03-03 23:48:01.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -24316,16 +24401,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_exec_t:file mmap_file_perms ; allow swat_t smbd_t:process signull; -@@ -657,7 +695,7 @@ +@@ -657,7 +695,8 @@ files_pid_filetrans(swat_t, swat_var_run_t, file) allow swat_t winbind_exec_t:file mmap_file_perms; -can_exec(swat_t, winbind_exec_t) +domtrans_pattern(swat_t, winbind_exec_t, winbind_t) ++allow swat_t winbind_t:process { signal signull }; allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -700,6 +738,8 @@ +@@ -700,6 +739,8 @@ miscfiles_read_localization(swat_t) @@ -24334,7 +24420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -713,12 +753,23 @@ +@@ -713,12 +754,23 @@ kerberos_use(swat_t) ') @@ -24359,7 +24445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; -@@ -779,6 +830,9 @@ +@@ -779,6 +831,9 @@ corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -24369,7 +24455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) -@@ -788,7 +842,7 @@ +@@ -788,7 +843,7 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) @@ -24378,7 +24464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(winbind_t) -@@ -866,6 +920,18 @@ +@@ -866,6 +921,18 @@ # optional_policy(` @@ -24397,7 +24483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -876,9 +942,12 @@ +@@ -876,9 +943,12 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -24411,9 +24497,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +',` + can_exec(smbd_t, samba_unconfined_script_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.10/policy/modules/services/sasl.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.11/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/sasl.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/sasl.te 2010-03-03 23:48:01.000000000 -0500 @@ -31,7 +31,7 @@ # Local policy # @@ -24476,9 +24562,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl seutil_sigchld_newrole(saslauthd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.10/policy/modules/services/sendmail.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.11/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/sendmail.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/sendmail.if 2010-03-03 23:48:01.000000000 -0500 @@ -277,3 +277,22 @@ sendmail_domtrans_unconfined($1) role $2 types unconfined_sendmail_t; @@ -24502,9 +24588,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.10/policy/modules/services/sendmail.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.11/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/sendmail.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/sendmail.te 2010-03-03 23:48:01.000000000 -0500 @@ -30,7 +30,7 @@ # @@ -24583,18 +24669,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + unconfined_domain_noaudit(unconfined_sendmail_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.10/policy/modules/services/setroubleshoot.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.11/policy/modules/services/setroubleshoot.fc --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/setroubleshoot.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/setroubleshoot.fc 2010-03-03 23:48:01.000000000 -0500 @@ -5,3 +5,5 @@ /var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) /var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) + +/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.10/policy/modules/services/setroubleshoot.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.11/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/setroubleshoot.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/setroubleshoot.if 2010-03-03 23:48:01.000000000 -0500 @@ -16,8 +16,8 @@ ') @@ -24732,9 +24818,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + files_list_pids($1) + admin_pattern($1, setroubleshoot_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.10/policy/modules/services/setroubleshoot.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.11/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/setroubleshoot.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/setroubleshoot.te 2010-03-03 23:48:01.000000000 -0500 @@ -22,13 +22,19 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -24880,9 +24966,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + policykit_dbus_chat(setroubleshoot_fixit_t) + userdom_read_all_users_state(setroubleshoot_fixit_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.fc serefpolicy-3.7.10/policy/modules/services/smokeping.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.fc serefpolicy-3.7.11/policy/modules/services/smokeping.fc --- nsaserefpolicy/policy/modules/services/smokeping.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/smokeping.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/smokeping.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,12 @@ + +/etc/rc\.d/init\.d/smokeping -- gen_context(system_u:object_r:smokeping_initrc_exec_t,s0) @@ -24896,9 +24982,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok +/var/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0) + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.if serefpolicy-3.7.10/policy/modules/services/smokeping.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.if serefpolicy-3.7.11/policy/modules/services/smokeping.if --- nsaserefpolicy/policy/modules/services/smokeping.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/smokeping.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/smokeping.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,193 @@ + +## policy for smokeping @@ -25093,9 +25179,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok + smokeping_manage_var_lib($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.7.10/policy/modules/services/smokeping.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.7.11/policy/modules/services/smokeping.te --- nsaserefpolicy/policy/modules/services/smokeping.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/smokeping.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/smokeping.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,81 @@ + +policy_module(smokeping,1.0.0) @@ -25178,9 +25264,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok + + sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.10/policy/modules/services/snmp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.11/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/snmp.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/snmp.te 2010-03-03 23:48:01.000000000 -0500 @@ -25,7 +25,7 @@ # # Local policy @@ -25190,9 +25276,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.10/policy/modules/services/snort.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.11/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/snort.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/snort.te 2010-03-03 23:48:01.000000000 -0500 @@ -37,6 +37,7 @@ allow snort_t self:tcp_socket create_stream_socket_perms; allow snort_t self:udp_socket create_socket_perms; @@ -25226,9 +25312,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor domain_use_interactive_fds(snort_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.10/policy/modules/services/spamassassin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.11/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/spamassassin.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/spamassassin.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,15 +1,26 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -25258,9 +25344,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.10/policy/modules/services/spamassassin.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.11/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/spamassassin.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/spamassassin.if 2010-03-03 23:48:01.000000000 -0500 @@ -111,6 +111,45 @@ ') @@ -25387,9 +25473,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.10/policy/modules/services/spamassassin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.11/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/spamassassin.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/spamassassin.te 2010-03-03 23:48:01.000000000 -0500 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -25695,9 +25781,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +optional_policy(` udev_read_db(spamd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.10/policy/modules/services/squid.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.11/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/squid.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/squid.te 2010-03-03 23:48:01.000000000 -0500 @@ -67,7 +67,9 @@ can_exec(squid_t, squid_exec_t) @@ -25726,18 +25812,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi -#squid requires the following when run in diskd mode, the recommended setting -allow squid_t tmpfs_t:file { read write }; -') dnl end TODO -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.10/policy/modules/services/ssh.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.11/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/ssh.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ssh.fc 2010-03-03 23:48:01.000000000 -0500 @@ -14,3 +14,5 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) + +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.10/policy/modules/services/ssh.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.11/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/ssh.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ssh.if 2010-03-03 23:48:01.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -25905,9 +25991,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ####################################### ## ## Delete from the ssh temp files. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.10/policy/modules/services/ssh.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.11/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/ssh.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ssh.te 2010-03-03 23:48:01.000000000 -0500 @@ -114,6 +114,7 @@ manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) @@ -26040,9 +26126,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ifdef(`TODO',` tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.10/policy/modules/services/sssd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.11/policy/modules/services/sssd.fc --- nsaserefpolicy/policy/modules/services/sssd.fc 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/sssd.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/sssd.fc 2010-03-03 23:48:01.000000000 -0500 @@ -4,6 +4,8 @@ /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) @@ -26052,9 +26138,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) /var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.10/policy/modules/services/sssd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.11/policy/modules/services/sssd.if --- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/sssd.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/sssd.if 2010-03-03 23:48:01.000000000 -0500 @@ -38,6 +38,25 @@ ######################################## @@ -26133,9 +26219,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd + + admin_pattern($1, sssd_public_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.10/policy/modules/services/sssd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.11/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/sssd.te 2010-02-25 18:53:37.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/sssd.te 2010-03-03 23:48:01.000000000 -0500 @@ -13,6 +13,9 @@ type sssd_initrc_exec_t; init_script_file(sssd_initrc_exec_t) @@ -26190,9 +26276,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd optional_policy(` dbus_system_bus_client(sssd_t) dbus_connect_system_bus(sssd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.10/policy/modules/services/sysstat.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.11/policy/modules/services/sysstat.te --- nsaserefpolicy/policy/modules/services/sysstat.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/sysstat.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/sysstat.te 2010-03-03 23:48:01.000000000 -0500 @@ -19,14 +19,15 @@ # Local policy # @@ -26211,9 +26297,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) # get info from /proc -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.7.10/policy/modules/services/telnet.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.7.11/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/telnet.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/telnet.te 2010-03-03 23:48:01.000000000 -0500 @@ -85,6 +85,7 @@ remotelogin_domtrans(telnetd_t) @@ -26222,9 +26308,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln optional_policy(` kerberos_keytab_template(telnetd, telnetd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.7.10/policy/modules/services/tftp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.7.11/policy/modules/services/tftp.te --- nsaserefpolicy/policy/modules/services/tftp.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/tftp.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/tftp.te 2010-03-03 23:48:01.000000000 -0500 @@ -50,9 +50,8 @@ manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t) files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) @@ -26236,9 +26322,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp corenet_all_recvfrom_unlabeled(tftpd_t) corenet_all_recvfrom_netlabel(tftpd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.7.10/policy/modules/services/tgtd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.7.11/policy/modules/services/tgtd.if --- nsaserefpolicy/policy/modules/services/tgtd.if 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/tgtd.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/tgtd.if 2010-03-03 23:48:01.000000000 -0500 @@ -9,3 +9,20 @@ ##

## @@ -26260,9 +26346,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd + + allow $1 tgtd_t:sem { rw_sem_perms }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.10/policy/modules/services/tgtd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.11/policy/modules/services/tgtd.te --- nsaserefpolicy/policy/modules/services/tgtd.te 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/tgtd.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/tgtd.te 2010-03-03 23:48:01.000000000 -0500 @@ -60,7 +60,7 @@ files_read_etc_files(tgtd_t) @@ -26272,9 +26358,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd logging_send_syslog_msg(tgtd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.10/policy/modules/services/tor.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.11/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/tor.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/tor.te 2010-03-03 23:48:01.000000000 -0500 @@ -6,6 +6,14 @@ # Declarations # @@ -26306,9 +26392,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor. +tunable_policy(`tor_bind_all_unreserved_ports', ` + corenet_tcp_bind_all_unreserved_ports(tor_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.7.10/policy/modules/services/tuned.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.7.11/policy/modules/services/tuned.fc --- nsaserefpolicy/policy/modules/services/tuned.fc 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/tuned.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/tuned.fc 2010-03-03 23:48:01.000000000 -0500 @@ -2,4 +2,7 @@ /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) @@ -26317,9 +26403,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune +/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0) + /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.10/policy/modules/services/tuned.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.11/policy/modules/services/tuned.te --- nsaserefpolicy/policy/modules/services/tuned.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/tuned.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/tuned.te 2010-03-03 23:48:01.000000000 -0500 @@ -13,6 +13,9 @@ type tuned_initrc_exec_t; init_script_file(tuned_initrc_exec_t) @@ -26373,9 +26459,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune # to allow network interface tuning optional_policy(` sysnet_domtrans_ifconfig(tuned_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.10/policy/modules/services/ucspitcp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.11/policy/modules/services/ucspitcp.te --- nsaserefpolicy/policy/modules/services/ucspitcp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/ucspitcp.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/ucspitcp.te 2010-03-03 23:48:01.000000000 -0500 @@ -92,3 +92,8 @@ daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) daemontools_read_svc(ucspitcp_t) @@ -26385,17 +26471,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp + daemontools_sigchld_run(ucspitcp_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.10/policy/modules/services/usbmuxd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.11/policy/modules/services/usbmuxd.fc --- nsaserefpolicy/policy/modules/services/usbmuxd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/usbmuxd.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/usbmuxd.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) + +/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.10/policy/modules/services/usbmuxd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.11/policy/modules/services/usbmuxd.if --- nsaserefpolicy/policy/modules/services/usbmuxd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/usbmuxd.if 2010-02-28 07:25:11.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/usbmuxd.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,39 @@ +## Daemon for communicating with Apple's iPod Touch and iPhone + @@ -26436,10 +26522,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm + files_search_pids($1) + stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.10/policy/modules/services/usbmuxd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.11/policy/modules/services/usbmuxd.te --- nsaserefpolicy/policy/modules/services/usbmuxd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/usbmuxd.te 2010-02-23 15:54:38.000000000 -0500 -@@ -0,0 +1,47 @@ ++++ serefpolicy-3.7.11/policy/modules/services/usbmuxd.te 2010-03-03 23:48:01.000000000 -0500 +@@ -0,0 +1,48 @@ +policy_module(usbmuxd,1.0.0) + +######################################## @@ -26450,6 +26536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm +type usbmuxd_t; +type usbmuxd_exec_t; +application_domain(usbmuxd_t, usbmuxd_exec_t) ++role system_r types usbmuxd_t; + +type usbmuxd_var_run_t; +files_pid_file(usbmuxd_var_run_t) @@ -26487,9 +26574,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm +auth_use_nsswitch(usbmuxd_t) + +logging_send_syslog_msg(usbmuxd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.10/policy/modules/services/uucp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.11/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/uucp.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/uucp.te 2010-03-03 23:48:01.000000000 -0500 @@ -90,6 +90,7 @@ fs_getattr_xattr_fs(uucpd_t) @@ -26507,9 +26594,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp optional_policy(` cron_system_entry(uucpd_t, uucpd_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.10/policy/modules/services/vhostmd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.11/policy/modules/services/vhostmd.fc --- nsaserefpolicy/policy/modules/services/vhostmd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/vhostmd.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/vhostmd.fc 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,6 @@ + +/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0) @@ -26517,9 +26604,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos +/etc/rc.d/init.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0) +/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.10/policy/modules/services/vhostmd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.11/policy/modules/services/vhostmd.if --- nsaserefpolicy/policy/modules/services/vhostmd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/vhostmd.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/vhostmd.if 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,228 @@ + +## policy for vhostmd @@ -26749,9 +26836,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos + vhostmd_manage_var_run($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.10/policy/modules/services/vhostmd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.11/policy/modules/services/vhostmd.te --- nsaserefpolicy/policy/modules/services/vhostmd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/vhostmd.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/vhostmd.te 2010-03-03 23:48:01.000000000 -0500 @@ -0,0 +1,84 @@ + +policy_module(vhostmd,1.0.0) @@ -26837,9 +26924,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos + xen_stream_connect_xenstore(vhostmd_t) + xen_stream_connect_xm(vhostmd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.10/policy/modules/services/virt.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.11/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/virt.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/virt.fc 2010-03-03 23:48:01.000000000 -0500 @@ -8,6 +8,10 @@ /etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) @@ -26851,19 +26938,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.10/policy/modules/services/virt.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.11/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/virt.if 2010-02-26 11:14:28.000000000 -0500 -@@ -22,6 +22,8 @@ ++++ serefpolicy-3.7.11/policy/modules/services/virt.if 2010-03-04 08:13:56.000000000 -0500 +@@ -22,6 +22,11 @@ domain_type($1_t) role system_r types $1_t; ++ type $1_devpts_t; ++ term_pty($1_devpts_t) ++ + domain_user_exemption_target($1_t) + type $1_tmp_t; files_tmp_file($1_tmp_t) -@@ -62,6 +64,9 @@ +@@ -35,6 +40,9 @@ + type $1_var_run_t; + files_pid_file($1_var_run_t) + ++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; ++ term_create_pty($1_t, $1_devpts_t) ++ + manage_dirs_pattern($1_t, $1_image_t, $1_image_t) + manage_files_pattern($1_t, $1_image_t, $1_image_t) + read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) +@@ -62,6 +70,9 @@ files_pid_filetrans($1_t, $1_var_run_t, { dir file }) stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t) @@ -26873,7 +26973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -293,6 +298,7 @@ +@@ -293,6 +304,7 @@ files_search_var_lib($1) read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) @@ -26881,7 +26981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -505,3 +511,32 @@ +@@ -505,3 +517,32 @@ virt_manage_log($1) ') @@ -26914,9 +27014,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt + ptchown_run(svirt_t, $2) + ') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.10/policy/modules/services/virt.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.11/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/virt.te 2010-03-01 09:05:11.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/virt.te 2010-03-03 23:48:01.000000000 -0500 @@ -15,6 +15,13 @@ ## @@ -27107,9 +27207,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt auth_use_nsswitch(virt_domain) logging_send_syslog_msg(virt_domain) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.10/policy/modules/services/w3c.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.11/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/w3c.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/w3c.te 2010-03-03 23:48:01.000000000 -0500 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) @@ -27129,9 +27229,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.10/policy/modules/services/xserver.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.11/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/xserver.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/xserver.fc 2010-03-03 23:48:01.000000000 -0500 @@ -3,12 +3,21 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -27239,9 +27339,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.10/policy/modules/services/xserver.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.11/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/xserver.if 2010-02-26 14:29:51.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/xserver.if 2010-03-04 09:34:53.000000000 -0500 @@ -19,7 +19,7 @@ interface(`xserver_restricted_role',` gen_require(` @@ -27268,21 +27368,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_search_tmp($2) # Communicate via System V shared memory. -@@ -56,6 +57,13 @@ +@@ -56,6 +57,10 @@ domtrans_pattern($2, iceauth_exec_t, iceauth_t) +ifdef(`hide_broken_symptoms', ` -+ dontaudit iceauth_t $2:unix_stream_socket rw_socket_perms; -+ dontaudit iceauth_t $2:tcp_socket rw_socket_perms; -+ dontaudit iceauth_t $2:udp_socket rw_socket_perms; -+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t) ++ dontaudit iceauth_t $2:socket_class_set { read write }; +') + allow $2 iceauth_home_t:file read_file_perms; domtrans_pattern($2, xauth_exec_t, xauth_t) -@@ -71,9 +79,10 @@ +@@ -71,9 +76,10 @@ # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; allow $2 xdm_t:fifo_file { getattr read write ioctl }; @@ -27294,7 +27391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Client read xserver shm allow $2 xserver_t:fd use; -@@ -94,9 +103,9 @@ +@@ -94,9 +100,9 @@ dev_rw_usbfs($2) miscfiles_read_fonts($2) @@ -27305,7 +27402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) -@@ -197,7 +206,7 @@ +@@ -197,7 +203,7 @@ allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -27314,7 +27411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Client read xserver shm allow $1 xserver_t:fd use; -@@ -291,12 +300,12 @@ +@@ -291,12 +297,12 @@ allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -27330,7 +27427,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow $1 xdm_tmp_t:dir search; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -476,6 +485,7 @@ +@@ -355,6 +361,11 @@ + class x_property all_x_property_perms; + class x_event all_x_event_perms; + class x_synthetic_event all_x_synthetic_event_perms; ++ class x_client destroy; ++ class x_server manage; ++ class x_pointer manage; ++ class x_keyboard { read manage }; ++ type xdm_t, xserver_t; + ') + + ############################## +@@ -386,6 +397,14 @@ + allow $2 xevent_t:{ x_event x_synthetic_event } receive; + # dont audit send failures + dontaudit $2 input_xevent_type:x_event send; ++ ++ allow $2 xdm_t:x_drawable { read add_child }; ++ allow $2 xdm_t:x_client destroy; ++ ++ allow $2 root_xdrawable_t:x_drawable write; ++ allow $2 xserver_t:x_server manage; ++ allow $2 xserver_t:x_pointer manage; ++ allow $2 xserver_t:x_keyboard { read manage }; + ') + + ####################################### +@@ -476,6 +495,7 @@ xserver_use_user_fonts($2) xserver_read_xdm_tmp_files($2) @@ -27338,18 +27462,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # X object manager xserver_object_types_template($1) -@@ -545,6 +555,10 @@ +@@ -545,6 +565,9 @@ ') domtrans_pattern($1, xauth_exec_t, xauth_t) +ifdef(`hide_broken_symptoms', ` + dontaudit xauth_t $1:socket_class_set { read write }; -+ fs_dontaudit_rw_anon_inodefs_files(xauth_t) +') ') ######################################## -@@ -598,6 +612,7 @@ +@@ -598,6 +621,7 @@ allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -27357,7 +27480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -805,7 +820,7 @@ +@@ -805,7 +829,7 @@ ') files_search_pids($1) @@ -27366,7 +27489,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1250,3 +1265,329 @@ +@@ -1224,9 +1248,20 @@ + class x_device all_x_device_perms; + class x_pointer all_x_pointer_perms; + class x_keyboard all_x_keyboard_perms; ++ class x_screen all_x_screen_perms; ++ class x_drawable { manage }; ++ type root_xdrawable_t; ++ attribute x_domain; ++ class x_drawable { read manage setattr show }; ++ class x_resource { write read }; + ') + + allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; ++ allow $1 xserver_t:{ x_screen } setattr; ++ ++ allow $1 x_domain:x_drawable { read manage setattr show }; ++ allow $1 x_domain:x_resource { write read }; ++ allow $1 root_xdrawable_t:x_drawable manage; + ') + + ######################################## +@@ -1250,3 +1285,329 @@ typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') @@ -27696,9 +27840,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.10/policy/modules/services/xserver.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.11/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/services/xserver.te 2010-02-24 16:38:32.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/xserver.te 2010-03-04 10:56:15.000000000 -0500 @@ -36,6 +36,13 @@ ## @@ -27862,7 +28006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(iceauth_t) -@@ -250,30 +283,57 @@ +@@ -250,30 +283,58 @@ fs_manage_cifs_files(iceauth_t) ') @@ -27871,6 +28015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + dev_dontaudit_rw_dri(iceauth_t) + dev_dontaudit_rw_generic_dev_nodes(iceauth_t) + fs_list_inotifyfs(iceauth_t) ++ fs_dontaudit_rw_anon_inodefs_files(iceauth_t) + term_dontaudit_use_unallocated_ttys(iceauth_t) + + optional_policy(` @@ -27923,13 +28068,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser fs_search_auto_mountpoints(xauth_t) # cjp: why? -@@ -283,17 +343,35 @@ +@@ -283,17 +344,36 @@ userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) +userdom_read_all_users_state(xauth_t) + +ifdef(`hide_broken_symptoms', ` ++ fs_dontaudit_rw_anon_inodefs_files(xauth_t) + userdom_manage_user_home_content_files(xauth_t) + userdom_manage_user_tmp_files(xauth_t) + dev_dontaudit_rw_generic_dev_nodes(xauth_t) @@ -27959,7 +28105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -305,20 +383,31 @@ +@@ -305,20 +385,31 @@ # XDM Local policy # @@ -27994,7 +28140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -334,24 +423,42 @@ +@@ -334,24 +425,42 @@ manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) @@ -28041,7 +28187,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xserver_t:unix_stream_socket connectto; allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; -@@ -363,6 +470,7 @@ +@@ -359,10 +468,13 @@ + + # transition to the xdm xserver + domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) ++ ++ps_process_pattern(xserver_t, xdm_t) + allow xserver_t xdm_t:process signal; allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -28049,7 +28201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -371,10 +479,14 @@ +@@ -371,10 +483,14 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -28065,7 +28217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) -@@ -394,11 +506,13 @@ +@@ -394,11 +510,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -28079,7 +28231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -406,6 +520,7 @@ +@@ -406,6 +524,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -28087,7 +28239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -414,18 +529,21 @@ +@@ -414,18 +533,21 @@ dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -28112,7 +28264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -436,9 +554,15 @@ +@@ -436,9 +558,15 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -28128,7 +28280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -447,14 +571,18 @@ +@@ -447,14 +575,18 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -28147,7 +28299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -465,10 +593,12 @@ +@@ -465,10 +597,12 @@ logging_read_generic_logs(xdm_t) @@ -28162,7 +28314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -477,6 +607,11 @@ +@@ -477,6 +611,11 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -28174,7 +28326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -509,10 +644,12 @@ +@@ -509,10 +648,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -28187,7 +28339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -520,12 +657,49 @@ +@@ -520,12 +661,49 @@ ') optional_policy(` @@ -28237,7 +28389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser hostname_exec(xdm_t) ') -@@ -543,9 +717,43 @@ +@@ -543,9 +721,43 @@ ') optional_policy(` @@ -28281,7 +28433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` seutil_sigchld_newrole(xdm_t) ') -@@ -555,8 +763,9 @@ +@@ -555,8 +767,9 @@ ') optional_policy(` @@ -28293,7 +28445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -565,7 +774,6 @@ +@@ -565,7 +778,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -28301,7 +28453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -576,6 +784,10 @@ +@@ -576,6 +788,10 @@ ') optional_policy(` @@ -28312,7 +28464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xfs_stream_connect(xdm_t) ') -@@ -600,10 +812,9 @@ +@@ -600,10 +816,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -28324,7 +28476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -615,6 +826,18 @@ +@@ -615,6 +830,18 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -28343,7 +28495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -634,12 +857,19 @@ +@@ -634,12 +861,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -28365,7 +28517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -673,7 +903,6 @@ +@@ -673,7 +907,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -28373,7 +28525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -683,9 +912,12 @@ +@@ -683,9 +916,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -28387,7 +28539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -700,8 +932,12 @@ +@@ -700,8 +936,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -28397,10 +28549,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +mls_process_write_to_clearance(xserver_t) +mls_file_read_to_clearance(xserver_t) +mls_file_write_all_levels(xserver_t) ++mls_file_upgrade(xserver_t) selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -723,6 +959,7 @@ +@@ -723,11 +964,14 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -28408,7 +28561,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser modutils_domtrans_insmod(xserver_t) -@@ -779,12 +1016,20 @@ + # read x_contexts + seutil_read_default_contexts(xserver_t) ++seutil_read_config(xserver_t) ++seutil_read_file_contexts(xserver_t) + + userdom_search_user_home_dirs(xserver_t) + userdom_use_user_ttys(xserver_t) +@@ -779,12 +1023,20 @@ ') optional_policy(` @@ -28430,7 +28590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser unconfined_domtrans(xserver_t) ') -@@ -811,7 +1056,7 @@ +@@ -811,7 +1063,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -28439,7 +28599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1077,14 @@ +@@ -832,9 +1084,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -28454,7 +28614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1099,14 @@ +@@ -849,11 +1106,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -28471,7 +28631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -999,3 +1252,33 @@ +@@ -999,3 +1259,33 @@ allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -28505,9 +28665,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +tunable_policy(`use_samba_home_dirs',` + fs_append_cifs_files(xdmhomewriter) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.10/policy/modules/services/zebra.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.11/policy/modules/services/zebra.if --- nsaserefpolicy/policy/modules/services/zebra.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/services/zebra.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/services/zebra.if 2010-03-03 23:48:01.000000000 -0500 @@ -24,6 +24,26 @@ ######################################## @@ -28535,9 +28695,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr ## All of the rules required to administrate ## an zebra environment ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.10/policy/modules/system/application.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.11/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/application.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/application.te 2010-03-03 23:48:01.000000000 -0500 @@ -7,6 +7,17 @@ # Executables to be run by user attribute application_exec_type; @@ -28556,9 +28716,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic optional_policy(` ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.10/policy/modules/system/authlogin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.11/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/system/authlogin.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/authlogin.fc 2010-03-03 23:48:01.000000000 -0500 @@ -7,12 +7,10 @@ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -28573,20 +28733,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ifdef(`distro_suse', ` -@@ -42,6 +40,9 @@ +@@ -42,6 +40,8 @@ /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) - /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) ++/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) +/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -+ /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -+/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.10/policy/modules/system/authlogin.if ---- nsaserefpolicy/policy/modules/system/authlogin.if 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/authlogin.if 2010-02-23 15:54:38.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.11/policy/modules/system/authlogin.if +--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-03-03 23:26:37.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/authlogin.if 2010-03-03 23:48:01.000000000 -0500 @@ -40,17 +40,76 @@ ## ## @@ -28754,17 +28913,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo - sysnet_dns_name_resolve($1) - sysnet_use_ldap($1) - -- optional_policy(` -- kerberos_use($1) -- ') -- optional_policy(` -- nis_use_ypbind($1) +- kerberos_use($1) + kerberos_read_keytab($1) + kerberos_connect_524($1) ') optional_policy(` +- nis_use_ypbind($1) +- ') +- +- optional_policy(` - pcscd_read_pub_files($1) + pcscd_manage_pub_files($1) + pcscd_manage_pub_pipes($1) @@ -28867,7 +29026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Do not audit attempts to write to ## login records files. ## -@@ -1378,6 +1521,8 @@ +@@ -1388,6 +1531,8 @@ # interface(`auth_use_nsswitch',` @@ -28876,7 +29035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo files_list_var_lib($1) # read /etc/nsswitch.conf -@@ -1393,16 +1538,33 @@ +@@ -1403,16 +1548,33 @@ ') optional_policy(` @@ -28911,9 +29070,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.10/policy/modules/system/authlogin.te ---- nsaserefpolicy/policy/modules/system/authlogin.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/authlogin.te 2010-02-25 18:15:10.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.11/policy/modules/system/authlogin.te +--- nsaserefpolicy/policy/modules/system/authlogin.te 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/authlogin.te 2010-03-03 23:48:01.000000000 -0500 @@ -103,8 +103,10 @@ fs_dontaudit_getattr_xattr_fs(chkpwd_t) @@ -28944,9 +29103,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ######################################## # # PAM local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.10/policy/modules/system/daemontools.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.11/policy/modules/system/daemontools.if --- nsaserefpolicy/policy/modules/system/daemontools.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/system/daemontools.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/daemontools.if 2010-03-03 23:48:01.000000000 -0500 @@ -71,6 +71,32 @@ domtrans_pattern($1, svc_start_exec_t, svc_start_t) ') @@ -29027,9 +29186,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon + + allow $1 svc_run_t:process sigchld; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.10/policy/modules/system/daemontools.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.11/policy/modules/system/daemontools.te --- nsaserefpolicy/policy/modules/system/daemontools.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/system/daemontools.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/daemontools.te 2010-03-03 23:48:01.000000000 -0500 @@ -39,7 +39,10 @@ # multilog creates /service/*/log/status manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t) @@ -29102,9 +29261,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon + daemontools_domtrans_run(svc_start_t) daemontools_manage_svc(svc_start_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.10/policy/modules/system/fstools.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.11/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/fstools.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/fstools.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -29130,9 +29289,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.10/policy/modules/system/fstools.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.11/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/fstools.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/fstools.te 2010-03-03 23:48:01.000000000 -0500 @@ -118,6 +118,8 @@ fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) @@ -29152,9 +29311,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool ifdef(`distro_redhat',` optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.10/policy/modules/system/getty.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.11/policy/modules/system/getty.te --- nsaserefpolicy/policy/modules/system/getty.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/getty.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/getty.te 2010-03-03 23:48:01.000000000 -0500 @@ -56,11 +56,10 @@ manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t) files_pid_filetrans(getty_t, getty_var_run_t, file) @@ -29170,9 +29329,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty. dev_read_sysfs(getty_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.10/policy/modules/system/hostname.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.11/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/hostname.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/hostname.te 2010-03-03 23:48:01.000000000 -0500 @@ -27,15 +27,18 @@ dev_read_sysfs(hostname_t) @@ -29192,23 +29351,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna fs_dontaudit_use_tmpfs_chr_dev(hostname_t) term_dontaudit_use_console(hostname_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.7.10/policy/modules/system/hotplug.te ---- nsaserefpolicy/policy/modules/system/hotplug.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/system/hotplug.te 2010-02-23 15:54:38.000000000 -0500 -@@ -125,6 +125,10 @@ - ') - - optional_policy(` -+ brctl_domtrans(hotplug_t) -+') -+ -+optional_policy(` - consoletype_exec(hotplug_t) - ') - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.10/policy/modules/system/init.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.11/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/system/init.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/init.fc 2010-03-03 23:48:01.000000000 -0500 @@ -4,10 +4,10 @@ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -29232,10 +29377,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f # # /var -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.10/policy/modules/system/init.if ---- nsaserefpolicy/policy/modules/system/init.if 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/init.if 2010-02-23 15:54:38.000000000 -0500 -@@ -162,8 +162,10 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.11/policy/modules/system/init.if +--- nsaserefpolicy/policy/modules/system/init.if 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/init.if 2010-03-03 23:48:01.000000000 -0500 +@@ -193,8 +193,10 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; type initrc_t; @@ -29246,7 +29391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') typeattribute $1 daemon; -@@ -174,6 +176,15 @@ +@@ -205,6 +207,15 @@ role system_r types $1; domtrans_pattern(initrc_t,$2,$1) @@ -29262,7 +29407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i # daemons started from init will # inherit fds from init for the console -@@ -233,7 +244,7 @@ +@@ -285,7 +296,7 @@ type initrc_t; ') @@ -29271,7 +29416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ifdef(`enable_mcs',` range_transition initrc_t $2:process $3; -@@ -265,6 +276,7 @@ +@@ -338,6 +349,7 @@ gen_require(` type initrc_t; role system_r; @@ -29279,7 +29424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') application_domain($1,$2) -@@ -272,6 +284,9 @@ +@@ -345,6 +357,9 @@ role system_r types $1; domtrans_pattern(initrc_t,$2,$1) @@ -29289,7 +29434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -280,6 +295,36 @@ +@@ -353,6 +368,36 @@ kernel_dontaudit_use_fds($1) ') ') @@ -29326,7 +29471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -546,7 +591,8 @@ +@@ -681,7 +726,8 @@ # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; @@ -29336,7 +29481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ') -@@ -619,18 +665,19 @@ +@@ -754,18 +800,19 @@ # interface(`init_spec_domtrans_script',` gen_require(` @@ -29360,7 +29505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ') -@@ -646,19 +693,39 @@ +@@ -781,19 +828,39 @@ # interface(`init_domtrans_script',` gen_require(` @@ -29404,7 +29549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -714,8 +781,10 @@ +@@ -849,8 +916,10 @@ interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -29415,7 +29560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i domtrans_pattern($1, $2, initrc_t) files_search_etc($1) ') -@@ -923,6 +992,24 @@ +@@ -1058,6 +1127,24 @@ allow $1 init_script_file_type:file read_file_perms; ') @@ -29440,7 +29585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ######################################## ## ## Execute all init scripts in the caller domain. -@@ -1142,7 +1229,7 @@ +@@ -1277,7 +1364,7 @@ type initrc_t; ') @@ -29449,7 +29594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -1310,6 +1397,25 @@ +@@ -1445,6 +1532,25 @@ ######################################## ## @@ -29475,7 +29620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ## Create files in a init script ## temporary data directory. ## -@@ -1465,7 +1571,7 @@ +@@ -1600,7 +1706,7 @@ type initrc_var_run_t; ') @@ -29484,7 +29629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -1540,3 +1646,76 @@ +@@ -1675,3 +1781,76 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -29561,9 +29706,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + init_dontaudit_use_script_fds($1) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.10/policy/modules/system/init.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.11/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/init.te 2010-02-25 16:45:03.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/init.te 2010-03-03 23:48:01.000000000 -0500 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -30134,11 +30279,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -793,3 +958,31 @@ +@@ -793,3 +958,34 @@ optional_policy(` zebra_read_config(initrc_t) ') + ++# if I start an initrc script from an random director I can generate this avc ++files_dontaudit_search_all_dirs(daemon) ++ +userdom_inherit_append_user_home_content_files(daemon) +userdom_inherit_append_user_tmp_files(daemon) +userdom_dontaudit_rw_stream(daemon) @@ -30166,9 +30314,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t +optional_policy(` + fail2ban_read_lib_files(daemon) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.10/policy/modules/system/ipsec.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.11/policy/modules/system/ipsec.fc --- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/ipsec.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/ipsec.fc 2010-03-03 23:48:01.000000000 -0500 @@ -37,6 +37,8 @@ /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) @@ -30179,9 +30327,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. +/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) -/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.10/policy/modules/system/ipsec.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.11/policy/modules/system/ipsec.if --- nsaserefpolicy/policy/modules/system/ipsec.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/ipsec.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/ipsec.if 2010-03-03 23:48:01.000000000 -0500 @@ -39,6 +39,25 @@ ######################################## @@ -30208,9 +30356,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. ## Get the attributes of an IPSEC key socket. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.10/policy/modules/system/ipsec.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.11/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/ipsec.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/ipsec.te 2010-03-03 23:48:01.000000000 -0500 @@ -29,9 +29,15 @@ type ipsec_key_file_t; files_type(ipsec_key_file_t) @@ -30348,9 +30496,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. userdom_use_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.10/policy/modules/system/iptables.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.11/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2010-02-12 16:41:05.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/iptables.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/iptables.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,6 +1,4 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) @@ -30358,9 +30506,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.10/policy/modules/system/iptables.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.11/policy/modules/system/iptables.if --- nsaserefpolicy/policy/modules/system/iptables.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/iptables.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/iptables.if 2010-03-03 23:48:01.000000000 -0500 @@ -17,6 +17,10 @@ corecmd_search_bin($1) @@ -30372,9 +30520,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.10/policy/modules/system/iptables.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.11/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/iptables.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/iptables.te 2010-03-03 23:48:01.000000000 -0500 @@ -14,9 +14,6 @@ type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -30448,9 +30596,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl udev_read_db(iptables_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.7.10/policy/modules/system/iscsi.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.7.11/policy/modules/system/iscsi.fc --- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/system/iscsi.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/iscsi.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,5 +1,9 @@ /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) +/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) @@ -30461,9 +30609,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. +/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0) + /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.10/policy/modules/system/iscsi.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.11/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/iscsi.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/iscsi.te 2010-03-03 23:48:01.000000000 -0500 @@ -14,6 +14,9 @@ type iscsi_lock_t; files_lock_file(iscsi_lock_t) @@ -30499,15 +30647,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. allow iscsid_t iscsi_var_lib_t:dir list_dir_perms; read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) -@@ -54,6 +63,7 @@ +@@ -54,8 +63,8 @@ manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t) files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) +kernel_read_network_state(iscsid_t) kernel_read_system_state(iscsid_t) - kernel_search_debugfs(iscsid_t) +-kernel_search_debugfs(iscsid_t) -@@ -67,13 +77,21 @@ + corenet_all_recvfrom_unlabeled(iscsid_t) + corenet_all_recvfrom_netlabel(iscsid_t) +@@ -67,13 +76,21 @@ corenet_tcp_connect_isns_port(iscsid_t) dev_rw_sysfs(iscsid_t) @@ -30529,9 +30679,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. +optional_policy(` + tgtd_rw_semaphores(iscsid_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.10/policy/modules/system/libraries.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.11/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/system/libraries.fc 2010-03-01 10:44:28.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/libraries.fc 2010-03-03 23:48:01.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -30892,9 +31042,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.10/policy/modules/system/libraries.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.11/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/system/libraries.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/libraries.if 2010-03-03 23:48:01.000000000 -0500 @@ -17,6 +17,7 @@ corecmd_search_bin($1) @@ -30921,9 +31071,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar allow $1 lib_t:dir list_dir_perms; read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.10/policy/modules/system/libraries.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.11/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/libraries.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/libraries.te 2010-03-03 23:48:01.000000000 -0500 @@ -58,11 +58,11 @@ # ldconfig local policy # @@ -30996,9 +31146,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +optional_policy(` + unconfined_domain(ldconfig_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.10/policy/modules/system/locallogin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.11/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/locallogin.te 2010-02-25 18:19:19.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/locallogin.te 2010-03-03 23:48:01.000000000 -0500 @@ -33,9 +33,8 @@ # Local login local policy # @@ -31099,9 +31249,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall -optional_policy(` - nscd_socket_use(sulogin_t) -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.10/policy/modules/system/logging.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.11/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/system/logging.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/logging.fc 2010-03-03 23:48:01.000000000 -0500 @@ -17,6 +17,10 @@ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) @@ -31141,10 +31291,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.10/policy/modules/system/logging.if ---- nsaserefpolicy/policy/modules/system/logging.if 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/logging.if 2010-02-23 15:54:38.000000000 -0500 -@@ -69,6 +69,20 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.11/policy/modules/system/logging.if +--- nsaserefpolicy/policy/modules/system/logging.if 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/logging.if 2010-03-03 23:48:01.000000000 -0500 +@@ -96,6 +96,20 @@ ######################################## ## @@ -31165,15 +31315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ## Set up audit ## ## -@@ -450,7 +464,6 @@ - # If syslog is down, the glibc syslog() function - # will write to the console. - term_write_console($1) -- term_dontaudit_read_console($1) - ') - - ######################################## -@@ -625,7 +638,25 @@ +@@ -701,7 +715,25 @@ ') files_search_var($1) @@ -31200,7 +31342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -708,7 +739,9 @@ +@@ -784,7 +816,9 @@ files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -31211,9 +31353,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.10/policy/modules/system/logging.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.11/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/logging.te 2010-02-25 18:10:25.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/logging.te 2010-03-03 23:48:01.000000000 -0500 @@ -101,6 +101,7 @@ kernel_read_kernel_sysctls(auditctl_t) @@ -31356,9 +31498,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin udev_read_db(syslogd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.10/policy/modules/system/lvm.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.11/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/system/lvm.fc 2010-02-25 18:42:51.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/lvm.fc 2010-03-03 23:48:01.000000000 -0500 @@ -28,6 +28,7 @@ # /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -31367,9 +31509,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc # # /sbin -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.10/policy/modules/system/lvm.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.11/policy/modules/system/lvm.if --- nsaserefpolicy/policy/modules/system/lvm.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/lvm.if 2010-02-26 08:35:35.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/lvm.if 2010-03-03 23:48:01.000000000 -0500 @@ -34,7 +34,7 @@ type lvm_exec_t; ') @@ -31379,9 +31521,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if can_exec($1, lvm_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.10/policy/modules/system/lvm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.11/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/lvm.te 2010-02-26 08:56:01.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/lvm.te 2010-03-03 23:48:01.000000000 -0500 @@ -142,6 +142,11 @@ ') @@ -31430,9 +31572,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te bootloader_rw_tmp_files(lvm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.10/policy/modules/system/miscfiles.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.11/policy/modules/system/miscfiles.fc --- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/miscfiles.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/miscfiles.fc 2010-03-03 23:48:01.000000000 -0500 @@ -42,6 +42,7 @@ /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) @@ -31459,9 +31601,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) ifdef(`distro_debian',` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.10/policy/modules/system/miscfiles.if ---- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/miscfiles.if 2010-02-23 15:54:38.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.11/policy/modules/system/miscfiles.if +--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/miscfiles.if 2010-03-03 23:48:01.000000000 -0500 @@ -73,7 +73,8 @@ # interface(`miscfiles_read_fonts',` @@ -31552,9 +31694,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.7.10/policy/modules/system/miscfiles.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.7.11/policy/modules/system/miscfiles.te --- nsaserefpolicy/policy/modules/system/miscfiles.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/miscfiles.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/miscfiles.te 2010-03-03 23:48:01.000000000 -0500 @@ -19,6 +19,9 @@ type fonts_t; files_type(fonts_t) @@ -31565,9 +31707,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi # # type for /usr/share/hwdata # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.10/policy/modules/system/modutils.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.11/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/modutils.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/modutils.te 2010-03-03 23:48:01.000000000 -0500 @@ -19,6 +19,7 @@ type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) @@ -31673,23 +31815,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.10/policy/modules/system/mount.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.11/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/system/mount.fc 2010-02-23 15:54:38.000000000 -0500 -@@ -1,4 +1,9 @@ ++++ serefpolicy-3.7.11/policy/modules/system/mount.fc 2010-03-04 07:59:10.000000000 -0500 +@@ -1,4 +1,10 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) +/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) ++/usr/sbin/showmount -- gen_context(system_u:object_r:showmount_exec_t,s0) -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.10/policy/modules/system/mount.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.11/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/system/mount.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/mount.if 2010-03-04 07:59:10.000000000 -0500 @@ -16,6 +16,14 @@ ') @@ -31726,7 +31869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -177,3 +189,57 @@ +@@ -177,3 +189,100 @@ mount_domtrans_unconfined($1) role $2 types unconfined_mount_t; ') @@ -31784,9 +31927,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + + dontaudit $1 fusermount_exec_t:file exec_file_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.10/policy/modules/system/mount.te ++ ++###################################### ++## ++## Execute a domain transition to run showmount. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mount_domtrans_showmount',` ++ gen_require(` ++ type showmount_t, showmount_exec_t; ++ ') ++ ++ domtrans_pattern($1, showmount_exec_t, showmount_t) ++') ++ ++###################################### ++## ++## Execute showmount in the showmount domain, and ++## allow the specified role the showmount domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the showmount domain. ++## ++## ++# ++interface(`mount_run_showmount',` ++ gen_require(` ++ type showmount_t; ++ ') ++ ++ mount_domtrans_showmount($1) ++ role $2 types showmount_t; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.11/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/system/mount.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/mount.te 2010-03-04 07:59:10.000000000 -0500 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -31803,7 +31989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. type mount_tmp_t; files_tmp_file(mount_tmp_t) -@@ -29,6 +36,10 @@ +@@ -29,6 +36,19 @@ # policy--duplicate type declaration type unconfined_mount_t; application_domain(unconfined_mount_t, mount_exec_t) @@ -31811,10 +31997,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + +type mount_var_run_t; +files_pid_file(mount_var_run_t) ++ ++# showmount - show mount information for an NFS server ++ ++type showmount_t; ++type showmount_exec_t; ++application_domain(showmount_t, showmount_exec_t) ++role system_r types showmount_t; ++ ++permissive showmount_t; ######################################## # -@@ -36,7 +47,11 @@ +@@ -36,7 +56,11 @@ # # setuid/setgid needed to mount cifs @@ -31827,7 +32022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. allow mount_t mount_loopback_t:file read_file_perms; -@@ -47,21 +62,38 @@ +@@ -47,21 +71,38 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -31867,7 +32062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. files_search_all(mount_t) files_read_etc_files(mount_t) -@@ -70,7 +102,7 @@ +@@ -70,7 +111,7 @@ files_mounton_all_mountpoints(mount_t) files_unmount_rootfs(mount_t) # These rules need to be generalized. Only admin, initrc should have it: @@ -31876,7 +32071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -80,15 +112,18 @@ +@@ -80,15 +121,18 @@ files_read_usr_files(mount_t) files_list_mnt(mount_t) @@ -31898,7 +32093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t) -@@ -99,6 +134,7 @@ +@@ -99,6 +143,7 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -31906,7 +32101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. term_use_all_terms(mount_t) -@@ -107,6 +143,8 @@ +@@ -107,6 +152,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -31915,7 +32110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. logging_send_syslog_msg(mount_t) -@@ -117,6 +155,8 @@ +@@ -117,6 +164,8 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -31924,7 +32119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`distro_redhat',` optional_policy(` -@@ -132,10 +172,17 @@ +@@ -132,10 +181,17 @@ ') ') @@ -31942,7 +32137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -165,6 +212,8 @@ +@@ -165,6 +221,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -31951,7 +32146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -172,6 +221,25 @@ +@@ -172,6 +230,25 @@ ') optional_policy(` @@ -31977,7 +32172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -179,6 +247,11 @@ +@@ -179,6 +256,11 @@ ') ') @@ -31989,7 +32184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -186,6 +259,19 @@ +@@ -186,6 +268,19 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -32009,7 +32204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -195,5 +281,10 @@ +@@ -195,5 +290,41 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t, file) @@ -32021,9 +32216,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + devicekit_dbus_chat_disk(unconfined_mount_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.10/policy/modules/system/raid.te ++###################################### ++# ++# showmount local policy ++# ++ ++allow showmount_t self:tcp_socket create_stream_socket_perms; ++allow showmount_t self:udp_socket create_socket_perms; ++ ++kernel_read_system_state(showmount_t) ++ ++corenet_all_recvfrom_unlabeled(showmount_t) ++corenet_all_recvfrom_netlabel(showmount_t) ++corenet_tcp_sendrecv_generic_if(showmount_t) ++corenet_udp_sendrecv_generic_if(showmount_t) ++corenet_tcp_sendrecv_generic_node(showmount_t) ++corenet_udp_sendrecv_generic_node(showmount_t) ++corenet_tcp_sendrecv_all_ports(showmount_t) ++corenet_udp_sendrecv_all_ports(showmount_t) ++corenet_tcp_bind_generic_node(showmount_t) ++corenet_udp_bind_generic_node(showmount_t) ++corenet_tcp_bind_all_rpc_ports(showmount_t) ++corenet_udp_bind_all_rpc_ports(showmount_t) ++corenet_tcp_connect_all_ports(showmount_t) ++ ++files_read_etc_files(showmount_t) ++ ++miscfiles_read_localization(showmount_t) ++ ++sysnet_dns_name_resolve(showmount_t) ++ ++userdom_use_user_terminals(showmount_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.11/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/raid.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/raid.te 2010-03-03 23:48:01.000000000 -0500 @@ -51,11 +51,13 @@ dev_dontaudit_getattr_generic_chr_files(mdadm_t) dev_dontaudit_getattr_generic_blk_files(mdadm_t) @@ -32038,9 +32264,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.10/policy/modules/system/selinuxutil.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.11/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/system/selinuxutil.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/selinuxutil.fc 2010-03-03 23:48:01.000000000 -0500 @@ -6,13 +6,13 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) @@ -32080,10 +32306,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.10/policy/modules/system/selinuxutil.if ---- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/system/selinuxutil.if 2010-03-01 11:55:49.000000000 -0500 -@@ -351,6 +351,27 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.11/policy/modules/system/selinuxutil.if +--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-03-03 23:26:37.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/selinuxutil.if 2010-03-03 23:48:01.000000000 -0500 +@@ -361,6 +361,27 @@ ######################################## ## @@ -32111,7 +32337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute run_init in the run_init domain. ## ## -@@ -535,6 +556,53 @@ +@@ -545,6 +566,53 @@ ######################################## ## @@ -32165,7 +32391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute setfiles in the caller domain. ## ## -@@ -680,6 +748,7 @@ +@@ -690,6 +758,7 @@ ') files_search_etc($1) @@ -32173,7 +32399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu manage_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') -@@ -999,6 +1068,26 @@ +@@ -1009,6 +1078,26 @@ ######################################## ## @@ -32200,7 +32426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1010,7 +1099,7 @@ +@@ -1020,7 +1109,7 @@ ## ## ## @@ -32209,7 +32435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## ## ## -@@ -1028,6 +1117,54 @@ +@@ -1038,6 +1127,54 @@ ######################################## ## @@ -32264,7 +32490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Full management of the semanage ## module store. ## -@@ -1139,3 +1276,194 @@ +@@ -1149,3 +1286,194 @@ selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -32459,9 +32685,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + hotplug_use_fds($1) +') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.10/policy/modules/system/selinuxutil.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.11/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/selinuxutil.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/selinuxutil.te 2010-03-03 23:48:01.000000000 -0500 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -32846,9 +33072,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu - hotplug_use_fds(setfiles_t) + unconfined_domain(setfiles_mac_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.10/policy/modules/system/sysnetwork.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.11/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/sysnetwork.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/sysnetwork.fc 2010-03-03 23:48:01.000000000 -0500 @@ -13,6 +13,9 @@ /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -32882,9 +33108,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.10/policy/modules/system/sysnetwork.if ---- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/sysnetwork.if 2010-02-23 15:54:38.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.11/policy/modules/system/sysnetwork.if +--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/sysnetwork.if 2010-03-03 23:48:01.000000000 -0500 @@ -43,6 +43,41 @@ sysnet_domtrans_dhcpc($1) @@ -32954,7 +33180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ####################################### -@@ -230,7 +283,8 @@ +@@ -251,7 +304,8 @@ ') files_search_etc($1) @@ -32964,7 +33190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ####################################### -@@ -323,7 +377,8 @@ +@@ -344,7 +398,8 @@ type net_conf_t; ') @@ -32974,7 +33200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ####################################### -@@ -380,6 +435,10 @@ +@@ -401,6 +456,10 @@ corecmd_search_bin($1) domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) @@ -32985,7 +33211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ######################################## -@@ -464,6 +523,7 @@ +@@ -485,6 +544,7 @@ ') files_search_etc($1) @@ -32993,7 +33219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) ') -@@ -541,9 +601,9 @@ +@@ -562,9 +622,9 @@ type net_conf_t; ') @@ -33004,11 +33230,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet corenet_all_recvfrom_unlabeled($1) corenet_all_recvfrom_netlabel($1) -@@ -557,7 +617,15 @@ +@@ -577,7 +637,16 @@ + corenet_tcp_connect_dns_port($1) corenet_sendrecv_dns_client_packets($1) - files_search_etc($1) -- allow $1 net_conf_t:file read_file_perms; +- sysnet_read_config($1) ++ files_search_etc($1) + read_files_pattern($1, net_conf_t, net_conf_t) + + optional_policy(` @@ -33021,19 +33248,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ######################################## -@@ -587,6 +655,8 @@ +@@ -605,7 +674,10 @@ + corenet_tcp_connect_ldap_port($1) + corenet_sendrecv_ldap_client_packets($1) - files_search_etc($1) - allow $1 net_conf_t:file read_file_perms; +- sysnet_read_config($1) ++ files_search_etc($1) ++ allow $1 net_conf_t:file read_file_perms; + # LDAP Configuration using encrypted requires + dev_read_urand($1) ') ######################################## -@@ -621,3 +691,49 @@ - files_search_etc($1) - allow $1 net_conf_t:file read_file_perms; - ') +@@ -637,5 +709,52 @@ + corenet_tcp_connect_portmap_port($1) + corenet_sendrecv_portmap_client_packets($1) + +- sysnet_read_config($1) ++ files_search_etc($1) ++ allow $1 net_conf_t:file read_file_perms; ++') + +######################################## +## @@ -33079,10 +33313,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + ') + + role_transition $1 dhcpc_exec_t system_r; -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.10/policy/modules/system/sysnetwork.te + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.11/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/sysnetwork.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/sysnetwork.te 2010-03-03 23:48:01.000000000 -0500 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; @@ -33230,17 +33464,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; # for /sbin/ip -@@ -260,7 +276,9 @@ +@@ -260,6 +276,7 @@ kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) +kernel_request_load_module(ifconfig_t) kernel_search_network_sysctl(ifconfig_t) -+kernel_search_debugfs(ifconfig_t) kernel_rw_net_sysctls(ifconfig_t) - corenet_rw_tun_tap_dev(ifconfig_t) -@@ -269,15 +287,23 @@ +@@ -269,15 +286,23 @@ # for IPSEC setup: dev_read_urand(ifconfig_t) @@ -33265,7 +33497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet files_dontaudit_read_root_files(ifconfig_t) -@@ -294,6 +320,8 @@ +@@ -294,6 +319,8 @@ seutil_use_runinit_fds(ifconfig_t) @@ -33274,7 +33506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) -@@ -330,8 +358,22 @@ +@@ -330,8 +357,22 @@ ') optional_policy(` @@ -33297,10 +33529,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + hal_dontaudit_rw_pipes(ifconfig_t) + hal_dontaudit_rw_dgram_sockets(ifconfig_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.10/policy/modules/system/udev.if ---- nsaserefpolicy/policy/modules/system/udev.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/udev.if 2010-02-23 15:54:38.000000000 -0500 -@@ -186,6 +186,7 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.11/policy/modules/system/udev.if +--- nsaserefpolicy/policy/modules/system/udev.if 2010-03-03 23:26:37.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/udev.if 2010-03-03 23:48:01.000000000 -0500 +@@ -192,6 +192,7 @@ dev_list_all_dev_nodes($1) allow $1 udev_tbl_t:file rw_file_perms; @@ -33308,9 +33540,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.10/policy/modules/system/udev.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.11/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/udev.te 2010-02-25 18:43:22.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/udev.te 2010-03-03 23:48:01.000000000 -0500 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -33370,9 +33602,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t kernel_write_xen_state(udev_t) kernel_read_xen_state(udev_t) xen_manage_log(udev_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.10/policy/modules/system/unconfined.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.11/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/unconfined.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/unconfined.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,15 +1 @@ # Add programs here which should not be confined by SELinux -# e.g.: @@ -33389,9 +33621,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -ifdef(`distro_gentoo',` -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.10/policy/modules/system/unconfined.if ---- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/system/unconfined.if 2010-02-23 15:54:38.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.11/policy/modules/system/unconfined.if +--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/unconfined.if 2010-03-03 23:48:01.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -33463,7 +33695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -111,16 +123,15 @@ +@@ -122,6 +134,10 @@ ## # interface(`unconfined_domain',` @@ -33474,17 +33706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf unconfined_domain_noaudit($1) tunable_policy(`allow_execheap',` - auditallow $1 self:process execheap; - ') -- --# Turn off this audit for FC5 --# tunable_policy(`allow_execmem',` --# auditallow $1 self:process execmem; --# ') - ') - - ######################################## -@@ -173,411 +184,3 @@ +@@ -179,411 +195,3 @@ refpolicywarn(`$0($1) has been deprecated.') ') @@ -33896,9 +34118,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - - allow $1 unconfined_t:dbus acquire_svc; -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.10/policy/modules/system/unconfined.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.11/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/unconfined.te 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/unconfined.te 2010-03-03 23:48:01.000000000 -0500 @@ -5,227 +5,5 @@ # # Declarations @@ -34128,9 +34350,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - hal_dbus_chat(unconfined_execmem_t) - ') -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.10/policy/modules/system/userdomain.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.11/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/system/userdomain.fc 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/userdomain.fc 2010-03-03 23:48:01.000000000 -0500 @@ -1,4 +1,11 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) @@ -34144,9 +34366,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs(/.*)? <> -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.10/policy/modules/system/userdomain.if ---- nsaserefpolicy/policy/modules/system/userdomain.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/userdomain.if 2010-03-01 10:27:00.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.11/policy/modules/system/userdomain.if +--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/userdomain.if 2010-03-03 23:48:01.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -35166,7 +35388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_common_user_template($1) ############################## -@@ -953,54 +1071,71 @@ +@@ -953,54 +1071,73 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -35181,6 +35403,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - files_read_kernel_symbol_table($1_t) + storage_rw_fuse($1_t) + ++ miscfiles_read_hwdata($1_usertype) ++ + # Allow users to run TCP servers (bind to ports and accept connection from + # the same domain and outside users) disabling this forces FTP passive mode + # and may change other protocols @@ -35267,7 +35491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1036,7 +1171,7 @@ +@@ -1036,7 +1173,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -35276,7 +35500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ############################## -@@ -1045,8 +1180,7 @@ +@@ -1045,8 +1182,7 @@ # # Inherit rules for ordinary users. @@ -35286,7 +35510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1071,6 +1205,9 @@ +@@ -1071,6 +1207,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -35296,7 +35520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1085,6 +1222,7 @@ +@@ -1085,6 +1224,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -35304,7 +35528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1092,8 +1230,6 @@ +@@ -1092,8 +1232,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -35313,7 +35537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1120,12 +1256,11 @@ +@@ -1120,12 +1258,11 @@ files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) @@ -35328,7 +35552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo term_use_all_terms($1_t) auth_getattr_shadow($1_t) -@@ -1148,20 +1283,6 @@ +@@ -1148,20 +1285,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -35349,7 +35573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` postgresql_unconfined($1_t) ') -@@ -1207,6 +1328,7 @@ +@@ -1207,6 +1330,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -35357,7 +35581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1272,11 +1394,15 @@ +@@ -1272,11 +1396,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -35373,7 +35597,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1387,12 +1513,13 @@ +@@ -1313,7 +1441,7 @@ + type user_devpts_t; + ') + +- allow $1 user_devpts_t:chr_file setattr_chr_file_perms; ++ allow $1 user_devpts_t:chr_file setattr; + ') + + ######################################## +@@ -1387,26 +1515,19 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -35383,12 +35616,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## --## Search user home directories. +-## Do not audit attempts to search user home directories. +## dontaudit Search user home directories. ## +-## +-##

+-## Do not audit attempts to search user home directories. +-## This will supress SELinux denial messages when the specified +-## domain is denied the permission to search these directories. +-##

+-## ## ## -@@ -1425,6 +1552,14 @@ +-## Domain to not audit. ++## Domain allowed access. + ## + ## +-## + # + interface(`userdom_dontaudit_search_user_home_dirs',` + gen_require(` +@@ -1433,6 +1554,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -35403,7 +35651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1440,9 +1575,11 @@ +@@ -1448,9 +1577,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -35415,7 +35663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1499,6 +1636,42 @@ +@@ -1507,6 +1638,42 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -35458,7 +35706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## ## Create directories in the home dir root with -@@ -1573,11 +1746,14 @@ +@@ -1581,11 +1748,14 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -35474,7 +35722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -1585,18 +1761,18 @@ +@@ -1593,18 +1763,18 @@ ## ## # @@ -35498,7 +35746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -1604,18 +1780,17 @@ +@@ -1612,18 +1782,17 @@ ## ## # @@ -35521,7 +35769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -1623,12 +1798,12 @@ +@@ -1631,12 +1800,12 @@ ## ## # @@ -35536,7 +35784,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1684,6 +1859,7 @@ +@@ -1655,7 +1824,7 @@ + type user_home_t; + ') + +- dontaudit $1 user_home_t:file setattr_file_perms; ++ dontaudit $1 user_home_t:file setattr; + ') + + ######################################## +@@ -1692,6 +1861,7 @@ type user_home_dir_t, user_home_t; ') @@ -35544,7 +35801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1700,11 +1876,14 @@ +@@ -1708,11 +1878,14 @@ # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -35562,7 +35819,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1811,19 +1990,32 @@ +@@ -1730,7 +1903,7 @@ + type user_home_t; + ') + +- dontaudit $1 user_home_t:file append_file_perms; ++ dontaudit $1 user_home_t:file append; + ') + + ######################################## +@@ -1748,7 +1921,7 @@ + type user_home_t; + ') + +- dontaudit $1 user_home_t:file write_file_perms; ++ dontaudit $1 user_home_t:file write; + ') + + ######################################## +@@ -1819,19 +1992,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -35602,7 +35877,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1858,6 +2050,7 @@ +@@ -1849,7 +2035,7 @@ + type user_home_t; + ') + +- dontaudit $1 user_home_t:file exec_file_perms; ++ dontaudit $1 user_home_t:file execute; + ') + + ######################################## +@@ -1866,6 +2052,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -35610,11 +35894,64 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2094,6 +2287,25 @@ +@@ -2077,7 +2264,7 @@ + type user_tmp_t; + ') + +- allow $1 user_tmp_t:sock_file write_sock_file_perms; ++ allow $1 user_tmp_t:sock_file write; + files_search_tmp($1) + ') + +@@ -2102,7 +2289,7 @@ ######################################## ## +-## Do not audit attempts to list user +## Do not audit attempts to search user + ## temporary directories. + ## + ## +@@ -2111,17 +2298,17 @@ + ## + ## + # +-interface(`userdom_dontaudit_list_user_tmp',` ++interface(`userdom_dontaudit_search_user_tmp',` + gen_require(` + type user_tmp_t; + ') + +- dontaudit $1 user_tmp_t:dir list_dir_perms; ++ dontaudit $1 user_tmp_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Do not audit attempts to manage users ++## Do not audit attempts to list user + ## temporary directories. + ## + ## +@@ -2130,18 +2317,37 @@ + ## + ## + # +-interface(`userdom_dontaudit_manage_user_tmp_dirs',` ++interface(`userdom_dontaudit_list_user_tmp',` + gen_require(` + type user_tmp_t; + ') + +- dontaudit $1 user_tmp_t:dir manage_dir_perms; ++ dontaudit $1 user_tmp_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Read user temporary files. +-## ++## Do not audit attempts to manage users +## temporary directories. +## +## @@ -35623,24 +35960,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +## +# -+interface(`userdom_dontaudit_search_user_tmp',` ++interface(`userdom_dontaudit_manage_user_tmp_dirs',` + gen_require(` + type user_tmp_t; + ') + -+ dontaudit $1 user_tmp_t:dir search_dir_perms; ++ dontaudit $1 user_tmp_t:dir manage_dir_perms; +') + +######################################## +## - ## Do not audit attempts to list user - ## temporary directories. - ## -@@ -2210,7 +2422,26 @@ ++## Read user temporary files. ++## + ## + ## + ## Domain allowed access. +@@ -2193,7 +2399,7 @@ + type user_tmp_t; + ') + +- dontaudit $1 user_tmp_t:file append_file_perms; ++ dontaudit $1 user_tmp_t:file append; + ') + + ######################################## +@@ -2218,6 +2424,25 @@ ######################################## ## --## Do not audit attempts to manage users +## Do not audit attempts to write users +## temporary files. +## @@ -35660,11 +36007,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + +######################################## +## -+## Do not audit attempts to manage users + ## Do not audit attempts to manage users ## temporary files. ## - ## -@@ -2290,6 +2521,46 @@ +@@ -2298,6 +2523,46 @@ ######################################## ## ## Create, read, write, and delete user @@ -35711,7 +36057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## temporary symbolic links. ## ## -@@ -2405,7 +2676,7 @@ +@@ -2413,7 +2678,7 @@ ######################################## ## @@ -35720,7 +36066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2413,19 +2684,21 @@ +@@ -2421,19 +2686,21 @@ ## ## # @@ -35746,7 +36092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2433,15 +2706,14 @@ +@@ -2441,15 +2708,14 @@ ## ## # @@ -35766,7 +36112,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2763,7 +3035,7 @@ +@@ -2467,7 +2733,7 @@ + type user_tty_device_t; + ') + +- allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; ++ allow $1 user_tty_device_t:chr_file getattr; + ') + + ######################################## +@@ -2485,7 +2751,7 @@ + type user_tty_device_t; + ') + +- dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms; ++ dontaudit $1 user_tty_device_t:chr_file getattr; + ') + + ######################################## +@@ -2503,7 +2769,7 @@ + type user_tty_device_t; + ') + +- allow $1 user_tty_device_t:chr_file setattr_chr_file_perms; ++ allow $1 user_tty_device_t:chr_file setattr; + ') + + ######################################## +@@ -2521,7 +2787,7 @@ + type user_tty_device_t; + ') + +- dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms; ++ dontaudit $1 user_tty_device_t:chr_file setattr; + ') + + ######################################## +@@ -2787,7 +3053,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -35775,7 +36157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow unpriv_userdomain $1:process sigchld; ') -@@ -2779,11 +3051,33 @@ +@@ -2803,11 +3069,33 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -35811,7 +36193,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2898,6 +3192,25 @@ +@@ -2848,23 +3136,14 @@ + + ######################################## + ## +-## Do not audit attempts to inherit the file descriptors +-## from unprivileged user domains. ++## Do not audit attempts to inherit the ++## file descriptors from all user domains. + ## +-## +-##

+-## Do not audit attempts to inherit the file descriptors +-## from unprivileged user domains. This will supress +-## SELinux denial messages when the specified domain is denied +-## the permission to inherit these file descriptors. +-##

+-## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## +-## + # + interface(`userdom_dontaudit_use_unpriv_user_fds',` + gen_require(` +@@ -2931,6 +3210,25 @@ ######################################## ## @@ -35837,7 +36246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Write all users files in /tmp ## ## -@@ -2911,7 +3224,43 @@ +@@ -2944,7 +3242,43 @@ type user_tmp_t; ') @@ -35882,7 +36291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2948,6 +3297,7 @@ +@@ -2981,6 +3315,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -35890,7 +36299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -3078,3 +3428,674 @@ +@@ -3111,3 +3446,674 @@ allow $1 userdomain:dbus send_msg; ') @@ -36565,9 +36974,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + dontaudit $1 admin_home_t:file getattr; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.10/policy/modules/system/userdomain.te ---- nsaserefpolicy/policy/modules/system/userdomain.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/userdomain.te 2010-02-23 15:54:38.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.11/policy/modules/system/userdomain.te +--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-03-03 23:26:37.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/userdomain.te 2010-03-03 23:48:01.000000000 -0500 @@ -8,13 +8,6 @@ ## @@ -36656,9 +37065,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') + +allow userdomain userdomain:process signull; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.10/policy/modules/system/xen.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.11/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/xen.if 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/xen.if 2010-03-03 23:48:01.000000000 -0500 @@ -180,6 +180,25 @@ ######################################## @@ -36695,9 +37104,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if + typeattribute $1 xm_transition_domain; domtrans_pattern($1, xm_exec_t, xm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.10/policy/modules/system/xen.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.11/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/system/xen.te 2010-03-01 11:58:29.000000000 -0500 ++++ serefpolicy-3.7.11/policy/modules/system/xen.te 2010-03-03 23:48:01.000000000 -0500 @@ -5,6 +5,7 @@ # # Declarations @@ -36797,9 +37206,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.10/policy/support/misc_patterns.spt +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.11/policy/support/misc_patterns.spt --- nsaserefpolicy/policy/support/misc_patterns.spt 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/support/misc_patterns.spt 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/support/misc_patterns.spt 2010-03-03 23:48:01.000000000 -0500 @@ -15,7 +15,7 @@ domain_transition_pattern($1,$2,$3) @@ -36818,9 +37227,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns allow $3 $1:process sigchld; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.10/policy/support/obj_perm_sets.spt +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.11/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.10/policy/support/obj_perm_sets.spt 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/support/obj_perm_sets.spt 2010-03-03 23:48:01.000000000 -0500 @@ -28,7 +28,7 @@ # # All socket classes. @@ -36911,9 +37320,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets +define(`all_dbus_perms', `{ acquire_svc send_msg } ') +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.10/policy/users +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.11/policy/users --- nsaserefpolicy/policy/users 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.10/policy/users 2010-02-23 15:54:38.000000000 -0500 ++++ serefpolicy-3.7.11/policy/users 2010-03-03 23:48:01.000000000 -0500 @@ -6,7 +6,7 @@ # # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])