From 4f0c0c3aae9997233f3b3df812aa8c3db903b6c3 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh
Date: Mar 04 2010 18:19:14 +0000
Subject: - Update to upstream - These are merges of my patches
- Remove 389 labeling conflicts
- Add MLS fixes found in RHEL6 testing
- Allow pulseaudio to run as a service
- Add label for mssql and allow apache to connect to this database port if
boolean set
- Dontaudit searches of debugfs mount point
- Allow policykit_auth to send signals to itself
- Allow modcluster to call getpwnam
- Allow swat to signal winbind
- Allow usbmux to run as a system role
- Allow svirt to create and use devpts
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 126a786..cb381ef 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -1,6 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.10/Makefile
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.11/Makefile
--- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.7.10/Makefile 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/Makefile 2010-03-03 23:48:01.000000000 -0500
@@ -244,7 +244,7 @@
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
@@ -10,9 +10,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.10/
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.10/policy/global_tunables
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.11/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.10/policy/global_tunables 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/global_tunables 2010-03-03 23:48:01.000000000 -0500
@@ -61,15 +61,6 @@
##
@@ -48,9 +48,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+##
+gen_tunable(mmap_low_allowed, false)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.10/policy/modules/admin/acct.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.11/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/acct.te 2010-02-24 11:55:06.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/acct.te 2010-03-03 23:48:01.000000000 -0500
@@ -43,6 +43,7 @@
fs_getattr_xattr_fs(acct_t)
@@ -59,9 +59,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te
corecmd_exec_bin(acct_t)
corecmd_exec_shell(acct_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.7.10/policy/modules/admin/alsa.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.7.11/policy/modules/admin/alsa.if
--- nsaserefpolicy/policy/modules/admin/alsa.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/alsa.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/alsa.if 2010-03-03 23:48:01.000000000 -0500
@@ -76,6 +76,26 @@
########################################
@@ -89,9 +89,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if
## Read alsa lib files.
##
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.10/policy/modules/admin/alsa.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.11/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/alsa.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/alsa.te 2010-03-03 23:48:01.000000000 -0500
@@ -51,6 +51,8 @@
files_read_etc_files(alsa_t)
files_read_usr_files(alsa_t)
@@ -101,9 +101,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
auth_use_nsswitch(alsa_t)
init_use_fds(alsa_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.10/policy/modules/admin/anaconda.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.11/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/anaconda.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/anaconda.te 2010-03-03 23:48:01.000000000 -0500
@@ -31,6 +31,7 @@
modutils_domtrans_insmod(anaconda_t)
@@ -121,9 +121,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.10/policy/modules/admin/brctl.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.11/policy/modules/admin/brctl.te
--- nsaserefpolicy/policy/modules/admin/brctl.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/brctl.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/brctl.te 2010-03-03 23:48:01.000000000 -0500
@@ -21,7 +21,7 @@
allow brctl_t self:unix_dgram_socket create_socket_perms;
allow brctl_t self:tcp_socket create_socket_perms;
@@ -133,9 +133,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.t
kernel_read_network_state(brctl_t)
kernel_read_sysctl(brctl_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.10/policy/modules/admin/certwatch.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.11/policy/modules/admin/certwatch.te
--- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/certwatch.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/certwatch.te 2010-03-03 23:48:01.000000000 -0500
@@ -36,7 +36,7 @@
miscfiles_read_localization(certwatch_t)
@@ -145,9 +145,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat
optional_policy(`
apache_exec_modules(certwatch_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.7.10/policy/modules/admin/consoletype.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.7.11/policy/modules/admin/consoletype.if
--- nsaserefpolicy/policy/modules/admin/consoletype.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/consoletype.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/consoletype.if 2010-03-03 23:48:01.000000000 -0500
@@ -19,6 +19,9 @@
corecmd_search_bin($1)
@@ -158,9 +158,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.10/policy/modules/admin/consoletype.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.11/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/consoletype.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/consoletype.te 2010-03-03 23:48:01.000000000 -0500
@@ -10,7 +10,6 @@
type consoletype_exec_t;
application_executable_file(consoletype_exec_t)
@@ -169,9 +169,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
role system_r types consoletype_t;
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.10/policy/modules/admin/firstboot.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.11/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/firstboot.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/firstboot.te 2010-03-03 23:48:01.000000000 -0500
@@ -91,8 +91,12 @@
userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
@@ -194,9 +194,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.10/policy/modules/admin/kismet.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.11/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 2009-11-25 15:15:48.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/kismet.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/kismet.te 2010-03-03 23:48:01.000000000 -0500
@@ -45,6 +45,7 @@
manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t)
manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
@@ -223,9 +223,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
corecmd_exec_bin(kismet_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.10/policy/modules/admin/logrotate.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.11/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/logrotate.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/logrotate.te 2010-03-03 23:48:01.000000000 -0500
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -325,9 +325,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
+optional_policy(`
varnishd_manage_log(logrotate_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.10/policy/modules/admin/logwatch.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.11/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/logwatch.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/logwatch.te 2010-03-03 23:48:01.000000000 -0500
@@ -93,6 +93,13 @@
sysnet_exec_ifconfig(logwatch_t)
@@ -348,15 +348,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
samba_read_log(logwatch_t)
+ samba_read_share_files(logwatch_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.7.10/policy/modules/admin/mcelog.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.7.11/policy/modules/admin/mcelog.fc
--- nsaserefpolicy/policy/modules/admin/mcelog.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/mcelog.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/mcelog.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.7.10/policy/modules/admin/mcelog.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.7.11/policy/modules/admin/mcelog.if
--- nsaserefpolicy/policy/modules/admin/mcelog.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/mcelog.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/mcelog.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,21 @@
+
+## policy for mcelog
@@ -379,9 +379,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.
+ domtrans_pattern($1, mcelog_exec_t, mcelog_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.10/policy/modules/admin/mcelog.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.11/policy/modules/admin/mcelog.te
--- nsaserefpolicy/policy/modules/admin/mcelog.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/mcelog.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/mcelog.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,32 @@
+
+policy_module(mcelog,1.0.0)
@@ -415,9 +415,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.
+miscfiles_read_localization(mcelog_t)
+
+logging_send_syslog_msg(mcelog_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.10/policy/modules/admin/mrtg.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.11/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/mrtg.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/mrtg.te 2010-03-03 23:48:01.000000000 -0500
@@ -116,6 +116,7 @@
userdom_use_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
@@ -426,9 +426,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te
netutils_domtrans_ping(mrtg_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.10/policy/modules/admin/netutils.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.11/policy/modules/admin/netutils.fc
--- nsaserefpolicy/policy/modules/admin/netutils.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/netutils.fc 2010-02-24 10:17:21.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/netutils.fc 2010-03-03 23:48:01.000000000 -0500
@@ -9,6 +9,7 @@
/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
@@ -437,9 +437,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
/usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.10/policy/modules/admin/netutils.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.11/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/netutils.te 2010-02-26 15:38:35.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/netutils.te 2010-03-03 23:48:01.000000000 -0500
@@ -44,6 +44,7 @@
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
@@ -490,17 +490,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
+ term_use_all_ttys(traceroute_t)
+ term_use_all_ptys(traceroute_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.10/policy/modules/admin/prelink.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.11/policy/modules/admin/prelink.fc
--- nsaserefpolicy/policy/modules/admin/prelink.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/prelink.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/prelink.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,3 +1,4 @@
+/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.10/policy/modules/admin/prelink.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.11/policy/modules/admin/prelink.if
--- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/prelink.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/prelink.if 2010-03-03 23:48:01.000000000 -0500
@@ -21,6 +21,25 @@
########################################
@@ -541,9 +541,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
- relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+ relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.10/policy/modules/admin/prelink.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.11/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/prelink.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/prelink.te 2010-03-03 23:48:01.000000000 -0500
@@ -21,8 +21,21 @@
type prelink_tmp_t;
files_tmp_file(prelink_tmp_t)
@@ -667,9 +667,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
+optional_policy(`
+ rpm_read_db(prelink_cron_system_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.10/policy/modules/admin/quota.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.11/policy/modules/admin/quota.te
--- nsaserefpolicy/policy/modules/admin/quota.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/quota.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/quota.te 2010-03-03 23:48:01.000000000 -0500
@@ -39,6 +39,7 @@
kernel_list_proc(quota_t)
kernel_read_proc_symlinks(quota_t)
@@ -678,9 +678,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.t
dev_read_sysfs(quota_t)
dev_getattr_all_blk_files(quota_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.10/policy/modules/admin/readahead.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.11/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/readahead.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/readahead.te 2010-03-03 23:48:01.000000000 -0500
@@ -52,6 +52,7 @@
files_list_non_security(readahead_t)
@@ -698,9 +698,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
fs_dontaudit_search_ramfs(readahead_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.10/policy/modules/admin/rpm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.11/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/rpm.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/rpm.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,18 +1,19 @@
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -751,9 +751,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
# SuSE
ifdef(`distro_suse', `
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.10/policy/modules/admin/rpm.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.11/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/rpm.if 2010-03-01 09:23:04.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/rpm.if 2010-03-03 23:48:01.000000000 -0500
@@ -13,11 +13,36 @@
interface(`rpm_domtrans',`
gen_require(`
@@ -1207,9 +1207,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.10/policy/modules/admin/rpm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.11/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/rpm.te 2010-02-26 09:13:01.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/rpm.te 2010-03-03 23:48:01.000000000 -0500
@@ -1,6 +1,8 @@
policy_module(rpm, 1.10.0)
@@ -1494,18 +1494,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.10/policy/modules/admin/shorewall.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.11/policy/modules/admin/shorewall.fc
--- nsaserefpolicy/policy/modules/admin/shorewall.fc 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/shorewall.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/shorewall.fc 2010-03-03 23:48:01.000000000 -0500
@@ -10,3 +10,5 @@
/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+
+/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.10/policy/modules/admin/shorewall.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.11/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/shorewall.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/shorewall.te 2010-03-03 23:48:01.000000000 -0500
@@ -29,6 +29,9 @@
type shorewall_var_lib_t;
files_type(shorewall_var_lib_t)
@@ -1536,22 +1536,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
optional_policy(`
iptables_domtrans(shorewall_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.10/policy/modules/admin/smoltclient.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.11/policy/modules/admin/smoltclient.fc
--- nsaserefpolicy/policy/modules/admin/smoltclient.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/smoltclient.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/smoltclient.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0)
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.10/policy/modules/admin/smoltclient.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.11/policy/modules/admin/smoltclient.if
--- nsaserefpolicy/policy/modules/admin/smoltclient.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/smoltclient.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/smoltclient.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1 @@
+## The Fedora hardware profiler client
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.10/policy/modules/admin/smoltclient.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.11/policy/modules/admin/smoltclient.te
--- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/smoltclient.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/smoltclient.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,66 @@
+policy_module(smoltclient,1.0.0)
+
@@ -1619,9 +1619,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltcl
+ rpm_exec(smoltclient_t)
+ rpm_read_db(smoltclient_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.10/policy/modules/admin/sudo.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.11/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/sudo.if 2010-02-26 14:44:57.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/sudo.if 2010-03-03 23:48:01.000000000 -0500
@@ -73,12 +73,16 @@
# Enter this derived domain from the user domain
domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
@@ -1650,9 +1650,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_sudo_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.10/policy/modules/admin/su.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.11/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/su.if 2010-02-26 14:44:23.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/su.if 2010-03-03 23:48:01.000000000 -0500
@@ -58,6 +58,10 @@
allow $2 $1_su_t:fifo_file rw_file_perms;
allow $2 $1_su_t:process sigchld;
@@ -1675,9 +1675,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
ps_process_pattern($3, $1_su_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.10/policy/modules/admin/tmpreaper.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.11/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/tmpreaper.te 2010-02-24 17:01:02.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/tmpreaper.te 2010-03-03 23:48:01.000000000 -0500
@@ -42,6 +42,7 @@
cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
@@ -1716,9 +1716,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
+optional_policy(`
unconfined_domain(tmpreaper_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.10/policy/modules/admin/usermanage.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.11/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/usermanage.if 2010-02-26 14:43:39.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/usermanage.if 2010-03-03 23:48:01.000000000 -0500
@@ -18,6 +18,10 @@
files_search_usr($1)
corecmd_search_bin($1)
@@ -1774,9 +1774,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
optional_policy(`
nscd_run(useradd_t, $2)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.10/policy/modules/admin/usermanage.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.11/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/usermanage.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/usermanage.te 2010-03-03 23:48:01.000000000 -0500
@@ -209,6 +209,7 @@
files_manage_etc_files(groupadd_t)
files_relabel_etc_files(groupadd_t)
@@ -1845,9 +1845,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
puppet_rw_tmp(useradd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.10/policy/modules/admin/vbetool.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.11/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/vbetool.te 2010-02-25 18:25:39.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/vbetool.te 2010-03-03 23:48:01.000000000 -0500
@@ -25,7 +25,13 @@
dev_rw_xserver_misc(vbetool_t)
dev_rw_mtrr(vbetool_t)
@@ -1862,9 +1862,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool
term_use_unallocated_ttys(vbetool_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.10/policy/modules/admin/vpn.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.11/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/vpn.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/admin/vpn.te 2010-03-03 23:48:01.000000000 -0500
@@ -46,6 +46,7 @@
kernel_read_system_state(vpnc_t)
kernel_read_network_state(vpnc_t)
@@ -1881,9 +1881,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te
optional_policy(`
dbus_system_bus_client(vpnc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.7.10/policy/modules/apps/cdrecord.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.7.11/policy/modules/apps/cdrecord.te
--- nsaserefpolicy/policy/modules/apps/cdrecord.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/cdrecord.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/cdrecord.te 2010-03-03 23:48:01.000000000 -0500
@@ -32,6 +32,8 @@
allow cdrecord_t self:unix_dgram_socket create_socket_perms;
allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
@@ -1893,15 +1893,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord
# allow searching for cdrom-drive
dev_list_all_dev_nodes(cdrecord_t)
dev_read_sysfs(cdrecord_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.10/policy/modules/apps/chrome.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.11/policy/modules/apps/chrome.fc
--- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/chrome.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/chrome.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.10/policy/modules/apps/chrome.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.11/policy/modules/apps/chrome.if
--- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/chrome.if 2010-02-26 14:30:20.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/chrome.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,90 @@
+
+## policy for chrome
@@ -1993,10 +1993,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i
+ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.10/policy/modules/apps/chrome.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.11/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/chrome.te 2010-02-26 10:42:14.000000000 -0500
-@@ -0,0 +1,82 @@
++++ serefpolicy-3.7.11/policy/modules/apps/chrome.te 2010-03-03 23:48:01.000000000 -0500
+@@ -0,0 +1,81 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -2020,7 +2020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t
+#
+# chrome_sandbox local policy
+#
-+allow chrome_sandbox_t self:capability { setuid sys_admin sys_ptrace dac_override sys_chroot chown fsetid setgid };
++allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:fifo_file manage_file_perms;
+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
@@ -2078,10 +2078,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+ fs_dontaudit_read_cifs_files(chrome_sandbox_t)
+')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.10/policy/modules/apps/cpufreqselector.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.11/policy/modules/apps/cpufreqselector.te
--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/cpufreqselector.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/cpufreqselector.te 2010-03-03 23:48:01.000000000 -0500
@@ -26,7 +26,7 @@
dev_rw_sysfs(cpufreqselector_t)
@@ -2091,9 +2090,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs
optional_policy(`
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.10/policy/modules/apps/execmem.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.11/policy/modules/apps/execmem.fc
--- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/execmem.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/execmem.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,43 @@
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2138,9 +2137,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+
+/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.10/policy/modules/apps/execmem.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.11/policy/modules/apps/execmem.if
--- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/execmem.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/execmem.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,108 @@
+## execmem domain
+
@@ -2250,9 +2249,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+
+ domtrans_pattern($1, execmem_exec_t, $2)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.10/policy/modules/apps/execmem.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.11/policy/modules/apps/execmem.te
--- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/execmem.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/execmem.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,11 @@
+
+policy_module(execmem, 1.0.0)
@@ -2265,16 +2264,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+type execmem_exec_t alias unconfined_execmem_exec_t;
+application_executable_file(execmem_exec_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.10/policy/modules/apps/firewallgui.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.11/policy/modules/apps/firewallgui.fc
--- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/firewallgui.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/firewallgui.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,3 @@
+
+/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.10/policy/modules/apps/firewallgui.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.11/policy/modules/apps/firewallgui.if
--- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/firewallgui.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/firewallgui.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,23 @@
+
+## policy for firewallgui
@@ -2299,9 +2298,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
+ allow $1 firewallgui_t:dbus send_msg;
+ allow firewallgui_t $1:dbus send_msg;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.10/policy/modules/apps/firewallgui.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.11/policy/modules/apps/firewallgui.te
--- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/firewallgui.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/firewallgui.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,66 @@
+
+policy_module(firewallgui,1.0.0)
@@ -2369,9 +2368,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
+ policykit_dbus_chat(firewallgui_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.10/policy/modules/apps/gitosis.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.11/policy/modules/apps/gitosis.if
--- nsaserefpolicy/policy/modules/apps/gitosis.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/apps/gitosis.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/gitosis.if 2010-03-03 23:48:01.000000000 -0500
@@ -43,3 +43,47 @@
role $2 types gitosis_t;
')
@@ -2420,9 +2419,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.
+ manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.10/policy/modules/apps/gnome.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.11/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/apps/gnome.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/gnome.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,8 +1,28 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
@@ -2454,9 +2453,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
+
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.10/policy/modules/apps/gnome.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.11/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/apps/gnome.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/gnome.if 2010-03-03 23:48:01.000000000 -0500
@@ -74,6 +74,24 @@
########################################
@@ -2693,9 +2692,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
+
+ allow $1 gnome_home_type:file rw_inherited_file_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.10/policy/modules/apps/gnome.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.11/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/apps/gnome.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/gnome.te 2010-03-03 23:48:01.000000000 -0500
@@ -7,18 +7,33 @@
#
@@ -2844,18 +2843,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
+ policykit_read_lib(gnomesystemmm_t)
+ policykit_read_reload(gnomesystemmm_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.10/policy/modules/apps/gpg.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.11/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/apps/gpg.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/gpg.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,4 +1,5 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.10/policy/modules/apps/gpg.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.11/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/apps/gpg.if 2010-03-01 11:52:26.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/gpg.if 2010-03-03 23:48:01.000000000 -0500
@@ -52,11 +52,8 @@
ifdef(`hide_broken_symptoms',`
@@ -2869,9 +2868,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.10/policy/modules/apps/gpg.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.11/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/gpg.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/gpg.te 2010-03-03 23:48:01.000000000 -0500
@@ -20,6 +20,7 @@
typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
application_domain(gpg_t, gpg_exec_t)
@@ -2912,9 +2911,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
########################################
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.10/policy/modules/apps/java.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.11/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/java.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/java.fc 2010-03-03 23:48:01.000000000 -0500
@@ -9,6 +9,7 @@
#
# /usr
@@ -2934,9 +2933,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
+
+/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.10/policy/modules/apps/java.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.11/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/java.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/java.if 2010-03-03 23:48:01.000000000 -0500
@@ -72,6 +72,7 @@
domain_interactive_fd($1_java_t)
@@ -2962,9 +2961,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.10/policy/modules/apps/java.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.11/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/java.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/java.te 2010-03-03 23:48:01.000000000 -0500
@@ -147,6 +147,14 @@
init_dbus_chat_script(unconfined_java_t)
@@ -2980,21 +2979,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
+ rpm_domtrans(unconfined_java_t)
+ ')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.10/policy/modules/apps/kdumpgui.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.11/policy/modules/apps/kdumpgui.fc
--- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/kdumpgui.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/kdumpgui.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.10/policy/modules/apps/kdumpgui.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.11/policy/modules/apps/kdumpgui.if
--- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/kdumpgui.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/kdumpgui.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,2 @@
+## system-config-kdump policy
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.10/policy/modules/apps/kdumpgui.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.11/policy/modules/apps/kdumpgui.te
--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/kdumpgui.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/kdumpgui.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,68 @@
+policy_module(kdumpgui,1.0.0)
+
@@ -3064,15 +3063,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
+optional_policy(`
+ policykit_dbus_chat(kdumpgui_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.10/policy/modules/apps/livecd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.11/policy/modules/apps/livecd.fc
--- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/livecd.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/livecd.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.10/policy/modules/apps/livecd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.11/policy/modules/apps/livecd.if
--- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/livecd.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/livecd.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,52 @@
+
+## policy for livecd
@@ -3126,9 +3125,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i
+ usermanage_run_chfn(livecd_t, $2)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.10/policy/modules/apps/livecd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.11/policy/modules/apps/livecd.te
--- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/livecd.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/livecd.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,27 @@
+policy_module(livecd, 1.0.0)
+
@@ -3157,9 +3156,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.t
+
+seutil_domtrans_setfiles_mac(livecd_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.7.10/policy/modules/apps/loadkeys.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.7.11/policy/modules/apps/loadkeys.if
--- nsaserefpolicy/policy/modules/apps/loadkeys.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/apps/loadkeys.if 2010-02-26 14:41:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/loadkeys.if 2010-03-03 23:48:01.000000000 -0500
@@ -17,6 +17,9 @@
corecmd_search_bin($1)
@@ -3170,9 +3169,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.10/policy/modules/apps/loadkeys.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.11/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/apps/loadkeys.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/loadkeys.te 2010-03-03 23:48:01.000000000 -0500
@@ -40,8 +40,12 @@
miscfiles_read_localization(loadkeys_t)
@@ -3187,9 +3186,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_rw_lvm_control(loadkeys_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.10/policy/modules/apps/mono.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.11/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/mono.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/mono.if 2010-03-03 23:48:01.000000000 -0500
@@ -40,10 +40,10 @@
domain_interactive_fd($1_mono_t)
application_type($1_mono_t)
@@ -3202,9 +3201,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
domtrans_pattern($3, mono_exec_t, $1_mono_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.10/policy/modules/apps/mozilla.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.11/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/apps/mozilla.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/mozilla.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,6 +1,7 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -3221,9 +3220,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.10/policy/modules/apps/mozilla.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.11/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/mozilla.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/mozilla.if 2010-03-03 23:48:01.000000000 -0500
@@ -48,6 +48,12 @@
mozilla_dbus_chat($2)
@@ -3269,9 +3268,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
+ allow $1 mozilla_home_t:file execmod;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.10/policy/modules/apps/mozilla.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.11/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/mozilla.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/mozilla.te 2010-03-03 23:48:01.000000000 -0500
@@ -91,6 +91,7 @@
corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
@@ -3330,9 +3329,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
+optional_policy(`
thunderbird_domtrans(mozilla_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.10/policy/modules/apps/nsplugin.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.11/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/nsplugin.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/nsplugin.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,10 @@
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
@@ -3344,9 +3343,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.10/policy/modules/apps/nsplugin.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.11/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/nsplugin.if 2010-03-01 11:46:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/nsplugin.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,355 @@
+
+## policy for nsplugin
@@ -3703,9 +3702,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+ allow $1 nsplugin_t:sem rw_sem_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.10/policy/modules/apps/nsplugin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.11/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/nsplugin.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/nsplugin.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,296 @@
+
+policy_module(nsplugin, 1.0.0)
@@ -4003,16 +4002,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.10/policy/modules/apps/openoffice.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.11/policy/modules/apps/openoffice.fc
--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/openoffice.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/openoffice.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,3 @@
+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.10/policy/modules/apps/openoffice.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.11/policy/modules/apps/openoffice.if
--- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/openoffice.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/openoffice.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,92 @@
+## Openoffice
+
@@ -4106,9 +4105,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
+ xserver_common_x_domain_template($1, $1_openoffice_t)
+ ')
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.10/policy/modules/apps/openoffice.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.11/policy/modules/apps/openoffice.te
--- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/openoffice.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/openoffice.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,11 @@
+
+policy_module(openoffice, 1.0.0)
@@ -4121,9 +4120,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
+type openoffice_t;
+type openoffice_exec_t;
+application_domain(openoffice_t, openoffice_exec_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.10/policy/modules/apps/podsleuth.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.11/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/podsleuth.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/podsleuth.te 2010-03-03 23:48:01.000000000 -0500
@@ -50,6 +50,7 @@
fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file })
@@ -4147,9 +4146,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut
optional_policy(`
dbus_system_bus_client(podsleuth_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.10/policy/modules/apps/ptchown.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.11/policy/modules/apps/ptchown.if
--- nsaserefpolicy/policy/modules/apps/ptchown.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/apps/ptchown.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/ptchown.if 2010-03-03 23:48:01.000000000 -0500
@@ -18,3 +18,27 @@
domtrans_pattern($1, ptchown_exec_t, ptchown_t)
')
@@ -4178,20 +4177,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.
+ ptchown_domtrans($1)
+ role $2 types ptchown_t;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.10/policy/modules/apps/pulseaudio.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.11/policy/modules/apps/pulseaudio.fc
--- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/apps/pulseaudio.fc 2010-02-23 15:54:38.000000000 -0500
-@@ -1 +1,7 @@
++++ serefpolicy-3.7.11/policy/modules/apps/pulseaudio.fc 2010-03-04 09:44:00.000000000 -0500
+@@ -1 +1,9 @@
+HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
+
++/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
++
+/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.10/policy/modules/apps/pulseaudio.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.11/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/apps/pulseaudio.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/pulseaudio.if 2010-03-03 23:48:01.000000000 -0500
@@ -29,7 +29,7 @@
ps_process_pattern($2, pulseaudio_t)
@@ -4295,10 +4296,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
- allow $1 pulseaudio_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.10/policy/modules/apps/pulseaudio.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.11/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/pulseaudio.te 2010-03-01 09:47:28.000000000 -0500
-@@ -8,17 +8,28 @@
++++ serefpolicy-3.7.11/policy/modules/apps/pulseaudio.te 2010-03-04 11:08:17.000000000 -0500
+@@ -8,24 +8,51 @@
type pulseaudio_t;
type pulseaudio_exec_t;
@@ -4306,21 +4307,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
application_domain(pulseaudio_t, pulseaudio_exec_t)
role system_r types pulseaudio_t;
-+type pulseaudio_var_run_t;
-+files_pid_file(pulseaudio_var_run_t)
-+
+type pulseaudio_home_t;
+userdom_user_home_content(pulseaudio_home_t)
+
+type pulseaudio_tmpfs_t;
+files_tmpfs_file(pulseaudio_tmpfs_t)
+
++type pulseaudio_var_lib_t;
++files_type(pulseaudio_var_lib_t)
++
++type pulseaudio_var_run_t;
++files_pid_file(pulseaudio_var_run_t)
++
########################################
#
# pulseaudio local policy
#
-
-+allow pulseaudio_t self:capability { setuid sys_nice setgid };
+-
++allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource };
allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
allow pulseaudio_t self:fifo_file rw_file_perms;
-allow pulseaudio_t self:unix_stream_socket create_stream_socket_perms;
@@ -4328,36 +4332,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
allow pulseaudio_t self:udp_socket create_socket_perms;
-@@ -26,6 +37,7 @@
+ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
++userdom_search_user_home_dirs(pulseaudio_t)
++manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
++manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
++
++manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
++manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
++files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
++
++manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
++manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
++manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
++files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
++
can_exec(pulseaudio_t, pulseaudio_exec_t)
+kernel_getattr_proc(pulseaudio_t)
kernel_read_system_state(pulseaudio_t)
kernel_read_kernel_sysctls(pulseaudio_t)
-@@ -66,11 +78,17 @@
- bluetooth_stream_connect(pulseaudio_t)
+@@ -67,10 +94,7 @@
')
--optional_policy(`
+ optional_policy(`
- gnome_manage_config(pulseaudio_t)
-')
-+manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
-+manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
-+manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
-+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
-+
-+userdom_search_user_home_dirs(pulseaudio_t)
-+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
-+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
-
- optional_policy(`
+-
+-optional_policy(`
+ dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
dbus_system_bus_client(pulseaudio_t)
dbus_session_bus_client(pulseaudio_t)
dbus_connect_session_bus(pulseaudio_t)
-@@ -93,6 +111,10 @@
+@@ -93,6 +117,10 @@
')
optional_policy(`
@@ -4368,7 +4376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
-@@ -103,6 +125,9 @@
+@@ -103,6 +131,9 @@
')
optional_policy(`
@@ -4378,9 +4386,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
+ xserver_read_xdm_pid(pulseaudio_t)
+ xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.10/policy/modules/apps/qemu.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.11/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/qemu.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/qemu.if 2010-03-03 23:48:01.000000000 -0500
@@ -127,12 +127,14 @@
template(`qemu_role',`
gen_require(`
@@ -4469,9 +4477,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.10/policy/modules/apps/qemu.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.11/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/qemu.te 2010-02-26 10:43:41.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/qemu.te 2010-03-03 23:48:01.000000000 -0500
@@ -50,6 +50,8 @@
#
# qemu local policy
@@ -4502,20 +4510,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te
allow unconfined_qemu_t self:process { execstack execmem };
+ allow unconfined_qemu_t qemu_exec_t:file execmod;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.10/policy/modules/apps/sambagui.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.11/policy/modules/apps/sambagui.fc
--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/sambagui.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/sambagui.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1 @@
+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.10/policy/modules/apps/sambagui.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.11/policy/modules/apps/sambagui.if
--- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/sambagui.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/sambagui.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,2 @@
+## system-config-samba policy
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.10/policy/modules/apps/sambagui.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.11/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/sambagui.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/sambagui.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,66 @@
+policy_module(sambagui,1.0.0)
+
@@ -4583,14 +4591,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
+optional_policy(`
+ policykit_dbus_chat(sambagui_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.10/policy/modules/apps/sandbox.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.11/policy/modules/apps/sandbox.fc
--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/sandbox.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/sandbox.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1 @@
+# No types are sandbox_exec_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.10/policy/modules/apps/sandbox.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.11/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/sandbox.if 2010-02-24 10:22:17.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/sandbox.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,248 @@
+
+## policy for sandbox
@@ -4840,10 +4848,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+ allow $1 sandbox_file_type:dir list_dir_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.10/policy/modules/apps/sandbox.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.11/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/sandbox.te 2010-02-23 15:54:38.000000000 -0500
-@@ -0,0 +1,364 @@
++++ serefpolicy-3.7.11/policy/modules/apps/sandbox.te 2010-03-03 23:48:01.000000000 -0500
+@@ -0,0 +1,365 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -4928,6 +4936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+logging_send_audit_msgs(sandbox_xserver_t)
+
+userdom_use_user_terminals(sandbox_xserver_t)
++userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
+
+xserver_entry_type(sandbox_xserver_t)
+
@@ -5208,9 +5217,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+optional_policy(`
+ hal_dbus_chat(sandbox_net_client_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.10/policy/modules/apps/screen.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.11/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/screen.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/screen.if 2010-03-03 23:48:01.000000000 -0500
@@ -141,6 +141,7 @@
userdom_create_user_pty($1_screen_t)
userdom_user_home_domtrans($1_screen_t, $3)
@@ -5219,9 +5228,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i
tunable_policy(`use_samba_home_dirs',`
fs_cifs_domtrans($1_screen_t, $3)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.10/policy/modules/apps/seunshare.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.11/policy/modules/apps/seunshare.if
--- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/seunshare.if 2010-02-26 14:42:02.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/seunshare.if 2010-03-03 23:48:01.000000000 -0500
@@ -2,59 +2,14 @@
########################################
@@ -5319,9 +5328,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
+ dontaudit $1_seunshare_t $3:socket_class_set { read write };
+ ')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.10/policy/modules/apps/seunshare.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.11/policy/modules/apps/seunshare.te
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/seunshare.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/seunshare.te 2010-03-03 23:48:01.000000000 -0500
@@ -6,40 +6,39 @@
# Declarations
#
@@ -5380,9 +5389,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
+ mozilla_dontaudit_manage_user_home_files(seunshare_domain)
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.10/policy/modules/apps/slocate.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.11/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/apps/slocate.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/slocate.te 2010-03-03 23:48:01.000000000 -0500
@@ -30,6 +30,7 @@
manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
@@ -5399,9 +5408,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.
# getpwnam
auth_use_nsswitch(locate_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.10/policy/modules/apps/vmware.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.11/policy/modules/apps/vmware.if
--- nsaserefpolicy/policy/modules/apps/vmware.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/apps/vmware.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/vmware.if 2010-03-03 23:48:01.000000000 -0500
@@ -84,3 +84,22 @@
logging_search_logs($1)
append_files_pattern($1, vmware_log_t, vmware_log_t)
@@ -5425,9 +5434,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i
+ can_exec($1, vmware_host_exec_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.10/policy/modules/apps/vmware.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.11/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/vmware.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/vmware.te 2010-03-03 23:48:01.000000000 -0500
@@ -29,6 +29,10 @@
type vmware_host_exec_t;
init_daemon_domain(vmware_host_t, vmware_host_exec_t)
@@ -5451,9 +5460,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.10/policy/modules/apps/wine.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.11/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/wine.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/wine.if 2010-03-03 23:48:01.000000000 -0500
@@ -35,6 +35,8 @@
role $1 types wine_t;
@@ -5479,9 +5488,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
optional_policy(`
xserver_role($1_r, $1_wine_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.10/policy/modules/apps/wine.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.11/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/wine.te 2010-02-24 12:06:19.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/apps/wine.te 2010-03-03 23:48:01.000000000 -0500
@@ -1,6 +1,14 @@
policy_module(wine, 1.6.1)
@@ -5512,18 +5521,61 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
files_execmod_all_files(wine_t)
-@@ -41,7 +55,7 @@
- ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.7.11/policy/modules/apps/wm.if
+--- nsaserefpolicy/policy/modules/apps/wm.if 2009-07-27 18:11:17.000000000 -0400
++++ serefpolicy-3.7.11/policy/modules/apps/wm.if 2010-03-04 09:20:55.000000000 -0500
+@@ -30,6 +30,7 @@
+ template(`wm_role_template',`
+ gen_require(`
+ type wm_exec_t;
++ class dbus send_msg;
+ ')
- optional_policy(`
-- unconfined_domain_noaudit(wine_t)
-+ unconfined_domain(wine_t)
+ type $1_wm_t;
+@@ -42,6 +43,12 @@
+ allow $1_wm_t self:shm create_shm_perms;
+
+ allow $1_wm_t $3:unix_stream_socket connectto;
++ allow $3 $1_wm_t:unix_stream_socket connectto;
++ allow $3 $1_wm_t:process signal;
++ allow $1_wm_t $3:process signull;
++
++ allow $1_wm_t $3:dbus send_msg;
++ allow $3 $1_wm_t:dbus send_msg;
+
+ domtrans_pattern($3, wm_exec_t, $1_wm_t)
+
+@@ -55,6 +62,8 @@
+ files_read_etc_files($1_wm_t)
+ files_read_usr_files($1_wm_t)
+
++ fs_getattr_tmpfs($1_wm_t)
++
+ mls_file_read_all_levels($1_wm_t)
+ mls_file_write_all_levels($1_wm_t)
+ mls_xwin_read_all_levels($1_wm_t)
+@@ -72,11 +81,18 @@
+
+ optional_policy(`
+ dbus_system_bus_client($1_wm_t)
++ dbus_session_bus_client($1_wm_t)
++ ')
++
++ optional_policy(`
++ pulseaudio_stream_connect($1_wm_t)
+ ')
+
+ optional_policy(`
+ xserver_role($2, $1_wm_t)
++ xserver_manage_core_devices($1_wm_t)
+ ')
++
')
- optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.10/policy/modules/kernel/corecommands.fc
+ ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.11/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/kernel/corecommands.fc 2010-02-26 11:12:57.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/corecommands.fc 2010-03-03 23:48:01.000000000 -0500
@@ -44,15 +44,17 @@
/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
@@ -5618,10 +5670,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.10/policy/modules/kernel/corecommands.if
---- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/kernel/corecommands.if 2010-02-23 15:54:38.000000000 -0500
-@@ -893,6 +893,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.11/policy/modules/kernel/corecommands.if
+--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/corecommands.if 2010-03-03 23:48:01.000000000 -0500
+@@ -931,6 +931,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
can_exec($1, chroot_exec_t)
@@ -5629,7 +5681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
########################################
-@@ -918,6 +919,25 @@
+@@ -956,6 +957,25 @@
########################################
##
@@ -5655,7 +5707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
## Execute all executable files.
##
##
-@@ -973,6 +993,7 @@
+@@ -1011,6 +1031,7 @@
type bin_t;
')
@@ -5663,10 +5715,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.7.10/policy/modules/kernel/corenetwork.if.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/kernel/corenetwork.if.in 2010-02-23 15:54:38.000000000 -0500
-@@ -1705,6 +1705,24 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.7.11/policy/modules/kernel/corenetwork.if.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2010-03-03 23:26:37.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/corenetwork.if.in 2010-03-03 23:48:01.000000000 -0500
+@@ -1920,6 +1920,24 @@
########################################
##
@@ -5691,9 +5743,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
## Getattr the point-to-point device.
##
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.10/policy/modules/kernel/corenetwork.te.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-02-16 14:58:22.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/kernel/corenetwork.te.in 2010-02-23 15:54:38.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.11/policy/modules/kernel/corenetwork.te.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/corenetwork.te.in 2010-03-04 09:58:31.000000000 -0500
@@ -65,6 +65,7 @@
type server_packet_t, packet_type, server_packet_type;
@@ -5744,7 +5796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(ircd, tcp,6667,s0)
network_port(isakmp, udp,500,s0)
-@@ -131,8 +140,9 @@
+@@ -131,32 +140,42 @@
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
@@ -5755,9 +5807,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
-@@ -141,21 +151,29 @@
+ network_port(msnp, tcp,1863,s0, udp,1863,s0)
++network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)
+ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
+ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
-network_port(netsupport, tcp,5405,s0, udp,5405,s0)
+network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -5786,7 +5841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -175,33 +193,38 @@
+@@ -176,22 +195,24 @@
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
@@ -5812,10 +5867,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
+network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
network_port(transproxy, tcp,8081,s0)
--network_port(ups, tcp,3493,s0)
- type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
- network_port(uucpd, tcp,540,s0)
-+network_port(ups, tcp,3493,s0)
+ network_port(ups, tcp,3493,s0)
+@@ -200,9 +221,12 @@
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152,s0)
@@ -5829,7 +5882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -230,6 +253,8 @@
+@@ -231,6 +255,8 @@
type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
@@ -5838,9 +5891,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
# network_node examples:
#network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.10/policy/modules/kernel/devices.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.11/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-11-20 10:51:41.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/kernel/devices.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/devices.fc 2010-03-03 23:48:01.000000000 -0500
@@ -16,13 +16,16 @@
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
@@ -5899,10 +5952,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.10/policy/modules/kernel/devices.if
---- nsaserefpolicy/policy/modules/kernel/devices.if 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/kernel/devices.if 2010-02-23 15:54:38.000000000 -0500
-@@ -436,6 +436,24 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.11/policy/modules/kernel/devices.if
+--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-03-03 23:26:37.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/devices.if 2010-03-03 23:48:01.000000000 -0500
+@@ -461,6 +461,24 @@
########################################
##
@@ -5927,7 +5980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Dontaudit setattr for generic character device files.
##
##
-@@ -801,6 +819,24 @@
+@@ -826,6 +844,24 @@
########################################
##
@@ -5952,7 +6005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Dontaudit read on all character file device nodes.
##
##
-@@ -819,6 +855,24 @@
+@@ -844,6 +880,24 @@
########################################
##
@@ -5977,7 +6030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Create all block device files.
##
##
-@@ -855,6 +909,42 @@
+@@ -880,6 +934,42 @@
########################################
##
@@ -6020,7 +6073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Delete all block device files.
##
##
-@@ -1380,6 +1470,42 @@
+@@ -1405,6 +1495,42 @@
rw_chr_files_pattern($1, device_t, crypt_device_t)
')
@@ -6063,7 +6116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
########################################
##
## getattr the dri devices.
-@@ -1710,6 +1836,24 @@
+@@ -1735,6 +1861,24 @@
########################################
##
@@ -6088,7 +6141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of the ksm devices.
##
##
-@@ -1999,6 +2143,24 @@
+@@ -2024,6 +2168,24 @@
########################################
##
@@ -6113,7 +6166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Read raw memory devices (e.g. /dev/mem).
##
##
-@@ -2450,6 +2612,24 @@
+@@ -2475,6 +2637,24 @@
########################################
##
@@ -6138,7 +6191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of the network control device
##
##
-@@ -3515,6 +3695,24 @@
+@@ -3587,6 +3767,24 @@
########################################
##
@@ -6163,7 +6216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem.
##
##
-@@ -3703,6 +3901,24 @@
+@@ -3775,6 +3973,24 @@
getattr_chr_files_pattern($1, device_t, v4l_device_t)
')
@@ -6188,9 +6241,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
########################################
##
## Do not audit attempts to get the attributes
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.10/policy/modules/kernel/devices.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.11/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/kernel/devices.te 2010-02-26 15:47:09.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/devices.te 2010-03-03 23:48:01.000000000 -0500
@@ -59,6 +59,12 @@
type crypt_device_t;
dev_node(crypt_device_t)
@@ -6230,56 +6283,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
-allow devices_unconfined_type device_node:{ blk_file chr_file } *;
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.10/policy/modules/kernel/domain.if
---- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/kernel/domain.if 2010-02-25 16:40:56.000000000 -0500
-@@ -44,34 +44,6 @@
- interface(`domain_type',`
- # start with basic domain
- domain_base_type($1)
--
-- ifdef(`distro_redhat',`
-- optional_policy(`
-- unconfined_use_fds($1)
-- ')
-- ')
--
-- # send init a sigchld and signull
-- optional_policy(`
-- init_sigchld($1)
-- init_signull($1)
-- ')
--
-- # these seem questionable:
--
-- optional_policy(`
-- rpm_use_fds($1)
-- rpm_read_pipes($1)
-- ')
--
-- optional_policy(`
-- selinux_dontaudit_getattr_fs($1)
-- selinux_dontaudit_read_fs($1)
-- ')
--
-- optional_policy(`
-- seutil_dontaudit_read_config($1)
-- ')
- ')
-
- ########################################
-@@ -746,10 +718,6 @@
- dontaudit $1 domain:dir list_dir_perms;
- dontaudit $1 domain:lnk_file read_lnk_file_perms;
- dontaudit $1 domain:file read_file_perms;
--
-- # cjp: these should be removed:
-- dontaudit $1 domain:sock_file read_sock_file_perms;
-- dontaudit $1 domain:fifo_file read_fifo_file_perms;
- ')
-
- ########################################
-@@ -791,6 +759,42 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.11/policy/modules/kernel/domain.if
+--- nsaserefpolicy/policy/modules/kernel/domain.if 2010-03-03 23:26:37.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/domain.if 2010-03-03 23:48:01.000000000 -0500
+@@ -831,6 +831,42 @@
########################################
##
@@ -6322,7 +6329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
## Do not audit attempts to get the
## session ID of all domains.
##
-@@ -1039,6 +1043,54 @@
+@@ -1079,6 +1115,54 @@
########################################
##
@@ -6377,7 +6384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
## Do not audit attempts to get the attributes
## of all domains unnamed pipes.
##
-@@ -1248,18 +1300,34 @@
+@@ -1288,18 +1372,34 @@
##
##
#
@@ -6415,7 +6422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
## Allow specified type to receive labeled
## networking packets from all domains, over
## all protocols (TCP, UDP, etc)
-@@ -1280,6 +1348,24 @@
+@@ -1320,6 +1420,24 @@
########################################
##
@@ -6440,7 +6447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
## Unconfined access to domains.
##
##
-@@ -1304,3 +1390,39 @@
+@@ -1344,3 +1462,39 @@
typeattribute $1 process_uncond_exempt;
')
@@ -6480,9 +6487,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+
+ dontaudit $1 domain:socket_class_set { read write };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.10/policy/modules/kernel/domain.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.11/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/kernel/domain.te 2010-02-26 09:13:18.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/domain.te 2010-03-03 23:48:01.000000000 -0500
@@ -5,6 +5,21 @@
#
# Declarations
@@ -6514,7 +6521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
# Domains that can mmap low memory.
attribute mmap_low_domain_type;
neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
-@@ -80,6 +97,8 @@
+@@ -80,14 +97,17 @@
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
@@ -6523,8 +6530,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
-@@ -87,7 +106,7 @@
+ kernel_dontaudit_search_key(domain)
kernel_dontaudit_link_key(domain)
++kernel_dontaudit_search_debugfs(domain)
# create child processes in the domain
-allow domain self:process { fork sigchld };
@@ -6532,7 +6540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
# Use trusted objects in /dev
dev_rw_null(domain)
-@@ -97,6 +116,13 @@
+@@ -97,6 +117,13 @@
# list the root directory
files_list_root(domain)
@@ -6546,7 +6554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs
-@@ -106,6 +132,10 @@
+@@ -106,6 +133,10 @@
')
optional_policy(`
@@ -6557,7 +6565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
libs_use_ld_so(domain)
libs_use_shared_libs(domain)
')
-@@ -118,6 +148,7 @@
+@@ -118,6 +149,7 @@
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -6565,7 +6573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
')
########################################
-@@ -136,6 +167,8 @@
+@@ -136,6 +168,8 @@
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -6574,7 +6582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -153,3 +186,75 @@
+@@ -153,3 +187,75 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -6650,9 +6658,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+ userdom_relabelto_user_home_dirs(polydomain)
+ userdom_relabelto_user_home_files(polydomain)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.10/policy/modules/kernel/files.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.11/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/kernel/files.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/files.fc 2010-03-03 23:48:01.000000000 -0500
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -6704,10 +6712,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.10/policy/modules/kernel/files.if
---- nsaserefpolicy/policy/modules/kernel/files.if 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/kernel/files.if 2010-02-24 11:04:55.000000000 -0500
-@@ -932,10 +932,8 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.11/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if 2010-03-03 23:26:37.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/files.if 2010-03-03 23:48:01.000000000 -0500
+@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -6720,7 +6728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1307,6 +1305,24 @@
+@@ -1428,6 +1426,24 @@
########################################
##
@@ -6745,7 +6753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## List the contents of the root directory.
##
##
-@@ -1431,6 +1447,24 @@
+@@ -1552,6 +1568,24 @@
########################################
##
@@ -6770,7 +6778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Remove entries from the root directory.
##
##
-@@ -2088,6 +2122,24 @@
+@@ -2209,6 +2243,24 @@
allow $1 etc_t:dir rw_dir_perms;
')
@@ -6795,7 +6803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
##########################################
##
## Manage generic directories in /etc
-@@ -2125,6 +2177,8 @@
+@@ -2280,6 +2332,8 @@
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -6804,7 +6812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -2207,6 +2261,24 @@
+@@ -2362,6 +2416,24 @@
########################################
##
@@ -6829,7 +6837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Execute generic files in /etc.
##
##
-@@ -2612,6 +2684,11 @@
+@@ -2785,6 +2857,11 @@
')
delete_files_pattern($1, file_t, file_t)
@@ -6841,7 +6849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -2726,6 +2803,7 @@
+@@ -2899,6 +2976,7 @@
')
allow $1 home_root_t:dir getattr;
@@ -6849,7 +6857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -2746,6 +2824,7 @@
+@@ -2919,6 +2997,7 @@
')
dontaudit $1 home_root_t:dir getattr;
@@ -6857,7 +6865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -2764,6 +2843,7 @@
+@@ -2937,6 +3016,7 @@
')
allow $1 home_root_t:dir search_dir_perms;
@@ -6865,7 +6873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -2783,6 +2863,7 @@
+@@ -2956,6 +3036,7 @@
')
dontaudit $1 home_root_t:dir search_dir_perms;
@@ -6873,7 +6881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -2802,6 +2883,7 @@
+@@ -2975,6 +3056,7 @@
')
dontaudit $1 home_root_t:dir list_dir_perms;
@@ -6881,7 +6889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -2820,6 +2902,7 @@
+@@ -2993,6 +3075,7 @@
')
allow $1 home_root_t:dir list_dir_perms;
@@ -6889,7 +6897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -3329,6 +3412,64 @@
+@@ -3502,6 +3585,64 @@
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -6954,7 +6962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
##
## Allow the specified type to associate
-@@ -3514,6 +3655,32 @@
+@@ -3687,6 +3828,32 @@
########################################
##
@@ -6987,7 +6995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Manage temporary files and directories in /tmp.
##
##
-@@ -3727,6 +3894,8 @@
+@@ -3900,6 +4067,8 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -6996,7 +7004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -3835,7 +4004,12 @@
+@@ -4008,7 +4177,12 @@
type usr_t;
')
@@ -7010,7 +7018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -3874,6 +4048,7 @@
+@@ -4065,6 +4239,7 @@
allow $1 usr_t:dir list_dir_perms;
read_files_pattern($1, usr_t, usr_t)
read_lnk_files_pattern($1, usr_t, usr_t)
@@ -7018,7 +7026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -3898,6 +4073,24 @@
+@@ -4089,6 +4264,24 @@
########################################
##
@@ -7043,33 +7051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## dontaudit write of /usr files
##
##
-@@ -4299,25 +4492,6 @@
-
- ########################################
- ##
--## Do not audit attempts to read and write
--## files in the /var directory.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`files_dontaudit_rw_var_files',`
-- gen_require(`
-- type var_t;
-- ')
--
-- dontaudit $1 var_t:file rw_file_perms;
--')
--
--########################################
--##
- ## Create, read, write, and delete files in the /var directory.
- ##
- ##
-@@ -4537,6 +4711,24 @@
+@@ -4742,6 +4935,24 @@
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -7094,7 +7076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -4809,6 +5001,25 @@
+@@ -5014,6 +5225,25 @@
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -7120,7 +7102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
##
## Do not audit attempts to search
-@@ -4868,6 +5079,24 @@
+@@ -5073,6 +5303,24 @@
########################################
##
@@ -7142,10 +7124,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+
+########################################
+##
- ## Create an object in the process ID directory, with a private
- ## type using a type transition.
+ ## Create an object in the process ID directory, with a private type.
##
-@@ -4917,6 +5146,24 @@
+ ##
+@@ -5148,6 +5396,24 @@
########################################
##
@@ -7170,7 +7152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Do not audit attempts to write to daemon runtime data files.
##
##
-@@ -4970,6 +5217,7 @@
+@@ -5201,6 +5467,7 @@
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -7178,7 +7160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -5038,6 +5286,24 @@
+@@ -5269,6 +5536,24 @@
########################################
##
@@ -7203,7 +7185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Search the contents of generic spool
## directories (/var/spool).
##
-@@ -5226,12 +5492,15 @@
+@@ -5457,12 +5742,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -7220,7 +7202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
')
-@@ -5252,3 +5521,212 @@
+@@ -5483,3 +5771,212 @@
typeattribute $1 files_unconfined_type;
')
@@ -7433,9 +7415,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+ dontaudit $1 file_type:file rw_inherited_file_perms;
+ dontaudit $1 file_type:lnk_file { read };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.10/policy/modules/kernel/files.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.11/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/kernel/files.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/files.te 2010-03-03 23:48:01.000000000 -0500
@@ -43,6 +43,7 @@
#
type boot_t;
@@ -7468,10 +7450,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.10/policy/modules/kernel/filesystem.if
---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/kernel/filesystem.if 2010-02-26 15:26:19.000000000 -0500
-@@ -906,7 +906,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.11/policy/modules/kernel/filesystem.if
+--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-03-03 23:26:37.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/filesystem.if 2010-03-03 23:48:01.000000000 -0500
+@@ -929,7 +929,7 @@
type cifs_t;
')
@@ -7480,7 +7462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -1459,6 +1459,25 @@
+@@ -1482,6 +1482,25 @@
########################################
##
@@ -7506,7 +7488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Create, read, write, and delete directories
## on a FUSEFS filesystem.
##
-@@ -1613,6 +1632,36 @@
+@@ -1636,6 +1655,36 @@
########################################
##
@@ -7543,7 +7525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Search inotifyfs filesystem.
##
##
-@@ -1649,6 +1698,24 @@
+@@ -1672,6 +1721,24 @@
########################################
##
@@ -7568,7 +7550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Mount an iso9660 filesystem, which
## is usually used on CDs.
##
-@@ -2047,7 +2114,7 @@
+@@ -2070,7 +2137,7 @@
type nfs_t;
')
@@ -7577,7 +7559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -2069,6 +2136,25 @@
+@@ -2092,6 +2159,25 @@
read_lnk_files_pattern($1, nfs_t, nfs_t)
')
@@ -7603,7 +7585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#########################################
##
## Read named sockets on a NFS filesystem.
-@@ -3458,6 +3544,24 @@
+@@ -3481,6 +3567,24 @@
########################################
##
@@ -7628,7 +7610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Read and write generic tmpfs files.
##
##
-@@ -3684,6 +3788,24 @@
+@@ -3707,6 +3811,24 @@
########################################
##
@@ -7653,7 +7635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Mount a XENFS filesystem.
##
##
-@@ -4181,3 +4303,214 @@
+@@ -4216,3 +4338,214 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -7868,9 +7850,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+ dontaudit $1 filesystem_type:file rw_inherited_file_perms;
+ dontaudit $1 filesystem_type:lnk_file { read };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.10/policy/modules/kernel/filesystem.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.11/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/kernel/filesystem.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/filesystem.te 2010-03-03 23:48:01.000000000 -0500
@@ -29,6 +29,7 @@
fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
@@ -7928,9 +7910,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#
# nfs_t is the default type for NFS file systems
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.10/policy/modules/kernel/kernel.if
---- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/kernel/kernel.if 2010-02-23 15:54:38.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.11/policy/modules/kernel/kernel.if
+--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/kernel.if 2010-03-03 23:48:01.000000000 -0500
@@ -144,6 +144,24 @@
########################################
@@ -7956,7 +7938,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
## Send a generic signal to kernel threads.
##
##
-@@ -1849,7 +1867,7 @@
+@@ -612,6 +630,24 @@
+
+ ########################################
+ ##
++## Do not audit attempts to search the kernel debugging filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_dontaudit_search_debugfs',`
++ gen_require(`
++ type debugfs_t;
++ ')
++
++ dontaudit $1 debugfs_t:dir search_dir_perms;
++')
++
++########################################
++##
+ ## Read information from the debugging filesystem.
+ ##
+ ##
+@@ -1911,7 +1947,7 @@
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -7965,7 +7972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
')
########################################
-@@ -1920,6 +1938,25 @@
+@@ -1982,6 +2018,25 @@
########################################
##
@@ -7991,7 +7998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
## Send general signals to unlabeled processes.
##
##
-@@ -2663,6 +2700,24 @@
+@@ -2725,6 +2780,24 @@
########################################
##
@@ -8016,7 +8023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
## Unconfined access to kernel module resources.
##
##
-@@ -2678,3 +2733,22 @@
+@@ -2740,3 +2813,22 @@
typeattribute $1 kern_unconfined;
')
@@ -8039,9 +8046,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
+
+ allow $1 kernel_t:unix_stream_socket connectto;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.10/policy/modules/kernel/kernel.te
---- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/kernel/kernel.te 2010-02-23 15:54:38.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.11/policy/modules/kernel/kernel.te
+--- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-03-04 08:02:45.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/kernel.te 2010-03-03 23:48:01.000000000 -0500
@@ -64,6 +64,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -8076,7 +8083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -270,6 +281,8 @@
+@@ -270,20 +281,27 @@
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -8084,8 +8091,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
+files_manage_generic_spool_dirs(kernel_t)
mcs_process_set_categories(kernel_t)
+-mcs_killall(kernel_t)
-@@ -277,12 +290,18 @@
+ mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
@@ -8104,7 +8112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -359,6 +378,10 @@
+@@ -360,6 +378,10 @@
unconfined_domain_noaudit(kernel_t)
')
@@ -8115,15 +8123,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
########################################
#
# Unlabeled process local policy
-@@ -388,3 +411,5 @@
+@@ -389,3 +411,5 @@
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
+
+files_boot(kernel_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.10/policy/modules/kernel/selinux.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.11/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/kernel/selinux.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/selinux.if 2010-03-03 23:48:01.000000000 -0500
@@ -40,7 +40,7 @@
# because of this statement, any module which
@@ -8181,9 +8189,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
+ fs_type($1)
+ mls_trusted_object($1)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.10/policy/modules/kernel/storage.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.11/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-11-20 10:51:41.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/kernel/storage.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/storage.fc 2010-03-03 23:48:01.000000000 -0500
@@ -14,6 +14,7 @@
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -8192,9 +8200,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
/dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.10/policy/modules/kernel/storage.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.11/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/kernel/storage.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/storage.if 2010-03-03 23:48:01.000000000 -0500
@@ -304,6 +304,7 @@
dev_list_all_dev_nodes($1)
@@ -8203,9 +8211,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.10/policy/modules/kernel/terminal.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.11/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/kernel/terminal.if 2010-02-25 17:44:00.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/kernel/terminal.if 2010-03-03 23:48:01.000000000 -0500
@@ -292,9 +292,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
@@ -8213,14 +8221,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
+ type tty_device_t;
')
- dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
-+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+- dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
++ dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms;
++ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.10/policy/modules/roles/auditadm.te
+@@ -829,7 +831,7 @@
+ attribute ptynode;
+ ')
+
+- dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
++ dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append };
+ ')
+
+ ########################################
+@@ -1196,7 +1198,7 @@
+ type tty_device_t;
+ ')
+
+- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
++ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+@@ -1333,7 +1335,7 @@
+ attribute ttynode;
+ ')
+
+- dontaudit $1 ttynode:chr_file rw_chr_file_perms;
++ dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.11/policy/modules/roles/auditadm.te
--- nsaserefpolicy/policy/modules/roles/auditadm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/roles/auditadm.te 2010-02-26 09:06:07.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/roles/auditadm.te 2010-03-03 23:48:01.000000000 -0500
@@ -33,6 +33,8 @@
seutil_run_runinit(auditadm_t, auditadm_r)
seutil_read_bin_policy(auditadm_t)
@@ -8230,23 +8266,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditad
optional_policy(`
consoletype_exec(auditadm_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/dbadm.if serefpolicy-3.7.10/policy/modules/roles/dbadm.if
---- nsaserefpolicy/policy/modules/roles/dbadm.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/roles/dbadm.if 2010-02-23 15:54:38.000000000 -0500
-@@ -12,8 +12,8 @@
- ##
- #
- interface(`dbadm_role_change',`
-- get_require(`
-- role dbadm_r'
-+ gen_require(`
-+ role dbadm_r;
- ')
-
- allow $1 dbadm_r;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.10/policy/modules/roles/guest.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.11/policy/modules/roles/guest.te
--- nsaserefpolicy/policy/modules/roles/guest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/roles/guest.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/roles/guest.te 2010-03-03 23:48:01.000000000 -0500
@@ -16,7 +16,11 @@
#
@@ -8261,9 +8283,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t
+')
+
+gen_user(guest_u, user, guest_r, s0, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.10/policy/modules/roles/staff.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.11/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2010-02-17 14:07:02.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/roles/staff.te 2010-03-01 09:58:00.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/roles/staff.te 2010-03-03 23:48:01.000000000 -0500
@@ -10,11 +10,26 @@
userdom_unpriv_user_template(staff)
@@ -8439,9 +8461,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+optional_policy(`
+ virt_stream_connect(staff_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.10/policy/modules/roles/sysadm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.11/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/roles/sysadm.te 2010-02-26 09:04:40.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/roles/sysadm.te 2010-03-04 07:59:10.000000000 -0500
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -8451,7 +8473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
ifndef(`enable_mls',`
userdom_security_admin_template(sysadm_t, sysadm_r)
-@@ -28,17 +28,25 @@
+@@ -28,17 +28,28 @@
corecmd_exec_shell(sysadm_t)
@@ -8472,12 +8494,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
userdom_home_filetrans_user_home_dir(sysadm_t)
++userdom_manage_user_tmp_dirs(sysadm_t)
++userdom_manage_user_tmp_files(sysadm_t)
++userdom_manage_user_tmp_symlinks(sysadm_t)
+userdom_manage_user_tmp_chr_files(sysadm_t)
+userdom_manage_user_tmp_blk_files(sysadm_t)
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -70,7 +78,9 @@
+@@ -70,7 +81,9 @@
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -8488,7 +8513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -86,9 +96,11 @@
+@@ -86,9 +99,11 @@
auditadm_role_change(sysadm_r)
')
@@ -8500,7 +8525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
backup_run(sysadm_t, sysadm_r)
-@@ -98,17 +110,25 @@
+@@ -98,17 +113,25 @@
bind_run_ndc(sysadm_t, sysadm_r)
')
@@ -8526,7 +8551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
certwatch_run(sysadm_t, sysadm_r)
-@@ -126,16 +146,18 @@
+@@ -126,16 +149,18 @@
consoletype_run(sysadm_t, sysadm_r)
')
@@ -8547,7 +8572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -165,9 +187,11 @@
+@@ -165,9 +190,11 @@
ethereal_run_tethereal(sysadm_t, sysadm_r)
')
@@ -8559,7 +8584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
firstboot_run(sysadm_t, sysadm_r)
-@@ -177,6 +201,7 @@
+@@ -177,6 +204,7 @@
fstools_run(sysadm_t, sysadm_r)
')
@@ -8567,7 +8592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
games_role(sysadm_r, sysadm_t)
')
-@@ -192,6 +217,7 @@
+@@ -192,6 +220,7 @@
optional_policy(`
gpg_role(sysadm_r, sysadm_t)
')
@@ -8575,7 +8600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
hostname_run(sysadm_t, sysadm_r)
-@@ -205,6 +231,9 @@
+@@ -205,6 +234,9 @@
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -8585,7 +8610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -212,12 +241,18 @@
+@@ -212,12 +244,18 @@
')
optional_policy(`
@@ -8604,7 +8629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
kudzu_run(sysadm_t, sysadm_r)
-@@ -227,9 +262,11 @@
+@@ -227,9 +265,11 @@
libs_run_ldconfig(sysadm_t, sysadm_r)
')
@@ -8616,15 +8641,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
logrotate_run(sysadm_t, sysadm_r)
-@@ -254,6 +291,7 @@
+@@ -252,8 +292,10 @@
+
+ optional_policy(`
mount_run(sysadm_t, sysadm_r)
++ mount_run_showmount(sysadm_t, sysadm_r)
')
+ifndef(`distro_redhat',`
optional_policy(`
mozilla_role(sysadm_r, sysadm_t)
')
-@@ -261,6 +299,7 @@
+@@ -261,6 +303,7 @@
optional_policy(`
mplayer_role(sysadm_r, sysadm_t)
')
@@ -8632,7 +8660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mta_role(sysadm_r, sysadm_t)
-@@ -308,8 +347,14 @@
+@@ -308,8 +351,14 @@
')
optional_policy(`
@@ -8647,7 +8675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
quota_run(sysadm_t, sysadm_r)
-@@ -319,9 +364,11 @@
+@@ -319,9 +368,11 @@
raid_domtrans_mdadm(sysadm_t)
')
@@ -8659,7 +8687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
-@@ -331,9 +378,11 @@
+@@ -331,9 +382,11 @@
rpm_run(sysadm_t, sysadm_r)
')
@@ -8671,7 +8699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rsync_exec(sysadm_t)
-@@ -357,9 +406,11 @@
+@@ -357,9 +410,11 @@
seutil_run_runinit(sysadm_t, sysadm_r)
')
@@ -8683,7 +8711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
-@@ -369,6 +420,7 @@
+@@ -369,6 +424,7 @@
staff_role_change(sysadm_r)
')
@@ -8691,7 +8719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
su_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -376,15 +428,18 @@
+@@ -376,15 +432,18 @@
optional_policy(`
sudo_role_template(sysadm, sysadm_r, sysadm_t)
')
@@ -8710,7 +8738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -393,17 +448,21 @@
+@@ -393,17 +452,21 @@
tripwire_run_twprint(sysadm_t, sysadm_r)
')
@@ -8732,7 +8760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
unconfined_domtrans(sysadm_t)
-@@ -417,9 +476,11 @@
+@@ -417,9 +480,11 @@
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -8744,7 +8772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -427,9 +488,15 @@
+@@ -427,9 +492,15 @@
usermanage_run_useradd(sysadm_t, sysadm_r)
')
@@ -8760,7 +8788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
vpn_run(sysadm_t, sysadm_r)
-@@ -440,13 +507,26 @@
+@@ -440,13 +511,26 @@
')
optional_policy(`
@@ -8787,9 +8815,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
+
+init_script_role_transition(sysadm_r)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.10/policy/modules/roles/unconfineduser.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.11/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/roles/unconfineduser.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/roles/unconfineduser.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,10 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
@@ -8801,9 +8829,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
+/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.10/policy/modules/roles/unconfineduser.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.11/policy/modules/roles/unconfineduser.if
--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/roles/unconfineduser.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/roles/unconfineduser.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,667 @@
+## Unconfiend user role
+
@@ -9472,9 +9500,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
+ allow $1 unconfined_r;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.10/policy/modules/roles/unconfineduser.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.11/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/roles/unconfineduser.te 2010-02-26 10:43:24.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/roles/unconfineduser.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,432 @@
+policy_module(unconfineduser, 1.0.0)
+
@@ -9908,9 +9936,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.10/policy/modules/roles/unprivuser.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.11/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/roles/unprivuser.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/roles/unprivuser.te 2010-03-03 23:48:01.000000000 -0500
@@ -13,6 +13,7 @@
userdom_unpriv_user_template(user)
@@ -9954,9 +9982,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
+optional_policy(`
+ setroubleshoot_dontaudit_stream_connect(user_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.10/policy/modules/roles/xguest.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.11/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/roles/xguest.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/roles/xguest.te 2010-03-03 23:48:01.000000000 -0500
@@ -15,7 +15,7 @@
##
@@ -10073,9 +10101,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.10/policy/modules/services/abrt.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.11/policy/modules/services/abrt.fc
--- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/abrt.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/abrt.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,11 +1,17 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
@@ -10095,10 +10123,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrt\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.10/policy/modules/services/abrt.if
---- nsaserefpolicy/policy/modules/services/abrt.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/abrt.if 2010-02-26 14:29:34.000000000 -0500
-@@ -19,6 +19,29 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.11/policy/modules/services/abrt.if
+--- nsaserefpolicy/policy/modules/services/abrt.if 2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/abrt.if 2010-03-03 23:48:01.000000000 -0500
+@@ -19,6 +19,28 @@
domtrans_pattern($1, abrt_exec_t, abrt_t)
')
@@ -10121,14 +10149,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+
+ifdef(`hide_broken_symptoms', `
+ dontaudit abrt_helper_t $1:socket_class_set { read write };
-+ fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+')
+')
+
######################################
##
## Execute abrt
-@@ -56,6 +79,32 @@
+@@ -57,6 +79,32 @@
read_files_pattern($1, abrt_etc_t, abrt_etc_t)
')
@@ -10161,7 +10188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
######################################
##
## Read abrt logs.
-@@ -75,6 +124,101 @@
+@@ -76,6 +124,101 @@
read_files_pattern($1, abrt_var_log_t, abrt_var_log_t)
')
@@ -10263,9 +10290,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
#####################################
##
## All of the rules required to administrate
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.10/policy/modules/services/abrt.te
---- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/abrt.te 2010-03-01 10:50:07.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.11/policy/modules/services/abrt.te
+--- nsaserefpolicy/policy/modules/services/abrt.te 2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/abrt.te 2010-03-03 23:48:01.000000000 -0500
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -10313,13 +10340,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
kernel_read_ring_buffer(abrt_t)
-@@ -75,18 +90,38 @@
+@@ -75,25 +90,38 @@
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
+corecmd_read_all_executables(abrt_t)
+-corenet_all_recvfrom_netlabel(abrt_t)
+-corenet_all_recvfrom_unlabeled(abrt_t)
+-corenet_sendrecv_http_client_packets(abrt_t)
+-corenet_tcp_bind_generic_node(abrt_t)
corenet_tcp_connect_http_port(abrt_t)
+-corenet_tcp_sendrecv_generic_if(abrt_t)
+-corenet_tcp_sendrecv_generic_node(abrt_t)
+-corenet_tcp_sendrecv_generic_port(abrt_t)
+corenet_tcp_connect_ftp_port(abrt_t)
+corenet_tcp_connect_all_ports(abrt_t)
@@ -10352,7 +10386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
sysnet_read_config(abrt_t)
-@@ -96,22 +131,96 @@
+@@ -103,22 +131,98 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -10442,7 +10476,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+
+miscfiles_read_localization(abrt_helper_t)
+
-+userdom_dontaudit_use_user_terminals(abrt_helper_t)
++term_dontaudit_use_all_ttys(abrt_helper_t)
++term_dontaudit_use_all_ptys(abrt_helper_t)
+
+ifdef(`hide_broken_symptoms', `
+ domain_dontaudit_leaks(abrt_helper_t)
@@ -10455,10 +10490,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+ dev_dontaudit_read_all_chr_files(abrt_helper_t)
+ dev_dontaudit_write_all_chr_files(abrt_helper_t)
+ dev_dontaudit_write_all_blk_files(abrt_helper_t)
++ fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.10/policy/modules/services/afs.te
---- nsaserefpolicy/policy/modules/services/afs.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/afs.te 2010-02-23 15:54:38.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.7.11/policy/modules/services/afs.if
+--- nsaserefpolicy/policy/modules/services/afs.if 2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/afs.if 2010-03-03 23:48:01.000000000 -0500
+@@ -94,7 +94,7 @@
+ #
+ interface(`afs_admin',`
+ gen_require(`
+- type afs_t;
++ type afs_t, afs_initrc_exec_t;
+ ')
+
+ allow $1 afs_t:process { ptrace signal_perms getattr };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.11/policy/modules/services/afs.te
+--- nsaserefpolicy/policy/modules/services/afs.te 2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/afs.te 2010-03-03 23:48:01.000000000 -0500
@@ -71,8 +71,8 @@
# afs client local policy
#
@@ -10466,7 +10514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.
-allow afs_t self:capability { sys_nice sys_tty_config };
-allow afs_t self:process setsched;
+allow afs_t self:capability { sys_admin sys_nice sys_tty_config };
-+allow afs_t self:process { fork setsched signal };
++allow afs_t self:process { setsched signal };
allow afs_t self:udp_socket create_socket_perms;
allow afs_t self:fifo_file rw_file_perms;
allow afs_t self:unix_stream_socket create_stream_socket_perms;
@@ -10479,18 +10527,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.
########################################
#
# AFS bossserver local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.10/policy/modules/services/aiccu.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.11/policy/modules/services/aiccu.fc
--- nsaserefpolicy/policy/modules/services/aiccu.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/aiccu.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/aiccu.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,5 @@
+
+/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
+
+/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
+/var/run/aiccu.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.10/policy/modules/services/aiccu.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.11/policy/modules/services/aiccu.if
--- nsaserefpolicy/policy/modules/services/aiccu.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/aiccu.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/aiccu.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,119 @@
+
+## policy for aiccu
@@ -10611,9 +10659,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+ aiccu_manage_var_run($1)
+
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.10/policy/modules/services/aiccu.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.11/policy/modules/services/aiccu.te
--- nsaserefpolicy/policy/modules/services/aiccu.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/aiccu.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/aiccu.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,41 @@
+policy_module(aiccu,1.0.0)
+
@@ -10656,9 +10704,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.10/policy/modules/services/aisexec.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.11/policy/modules/services/aisexec.fc
--- nsaserefpolicy/policy/modules/services/aisexec.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/aisexec.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/aisexec.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,10 @@
+
+/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0)
@@ -10670,9 +10718,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
+/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0)
+
+/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.10/policy/modules/services/aisexec.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.11/policy/modules/services/aisexec.if
--- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/aisexec.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/aisexec.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,106 @@
+## SELinux policy for Aisexec Cluster Engine
+
@@ -10780,9 +10828,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
+
+ admin_pattern($1, aisexec_tmpfs_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.10/policy/modules/services/aisexec.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.11/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/aisexec.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/aisexec.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,115 @@
+
+policy_module(aisexec,1.0.0)
@@ -10899,9 +10947,59 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
+ groupd_rw_semaphores(aisexec_t)
+ groupd_rw_shm(aisexec_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.10/policy/modules/services/amavis.te
---- nsaserefpolicy/policy/modules/services/amavis.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/amavis.te 2010-02-23 15:54:38.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.7.11/policy/modules/services/amavis.if
+--- nsaserefpolicy/policy/modules/services/amavis.if 2010-03-04 11:17:25.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/amavis.if 2010-03-03 23:27:40.000000000 -0500
+@@ -18,30 +18,11 @@
+ type amavis_t, amavis_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, amavis_exec_t, amavis_t)
+ ')
+
+ ########################################
+ ##
+-## Execute amavis server in the amavis domain.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`amavis_initrc_domtrans',`
+- gen_require(`
+- type amavis_initrc_exec_t;
+- ')
+-
+- init_labeled_script_domtrans($1, amavis_initrc_exec_t)
+-')
+-
+-########################################
+-##
+ ## Read amavis spool files.
+ ##
+ ##
+@@ -228,13 +209,13 @@
+ type amavis_t, amavis_tmp_t, amavis_var_log_t;
+ type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t;
+ type amavis_etc_t, amavis_quarantine_t;
+- type amavis_initrc_exec_t;
++ type amavis_initrc_exec_t;
+ ')
+
+ allow $1 amavis_t:process { ptrace signal_perms };
+ ps_process_pattern($1, amavis_t)
+
+- amavis_initrc_domtrans($1)
++ init_labeled_script_domtrans($1, amavis_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 amavis_initrc_exec_t system_r;
+ allow $2 system_r;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.11/policy/modules/services/amavis.te
+--- nsaserefpolicy/policy/modules/services/amavis.te 2010-03-04 11:17:25.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/amavis.te 2010-03-03 23:48:01.000000000 -0500
@@ -138,11 +138,13 @@
auth_dontaudit_read_shadow(amavis_t)
@@ -10916,9 +11014,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
sysnet_dns_name_resolve(amavis_t)
sysnet_use_ldap(amavis_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.10/policy/modules/services/apache.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.11/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/apache.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/apache.fc 2010-03-03 23:48:01.000000000 -0500
@@ -2,12 +2,19 @@
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
@@ -11046,9 +11144,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.10/policy/modules/services/apache.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.11/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/apache.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/apache.if 2010-03-03 23:48:01.000000000 -0500
@@ -13,21 +13,17 @@
#
template(`apache_content_template',`
@@ -11757,9 +11855,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.10/policy/modules/services/apache.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.11/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/apache.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/apache.te 2010-03-04 09:59:11.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@@ -12324,7 +12422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -568,20 +776,25 @@
+@@ -568,20 +776,32 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -12343,6 +12441,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_mysqld_port(httpd_suexec_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
++
++ corenet_tcp_connect_mssql_port(httpd_t)
++ corenet_sendrecv_mssql_client_packets(httpd_t)
++ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
++ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
++ corenet_tcp_connect_mssql_port(httpd_suexec_t)
++ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
')
-optional_policy(`
@@ -12356,7 +12461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -599,23 +812,24 @@
+@@ -599,23 +819,24 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@@ -12385,7 +12490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +842,7 @@
+@@ -628,6 +849,7 @@
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
@@ -12393,7 +12498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -635,22 +850,31 @@
+@@ -635,22 +857,31 @@
corenet_all_recvfrom_unlabeled(httpd_suexec_t)
corenet_all_recvfrom_netlabel(httpd_suexec_t)
@@ -12432,7 +12537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -676,16 +900,16 @@
+@@ -676,16 +907,16 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -12453,7 +12558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -700,15 +924,29 @@
+@@ -700,15 +931,29 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -12485,7 +12590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -716,6 +954,35 @@
+@@ -716,6 +961,35 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -12521,7 +12626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -728,6 +995,10 @@
+@@ -728,6 +1002,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -12532,7 +12637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -739,6 +1010,8 @@
+@@ -739,6 +1017,8 @@
# httpd_rotatelogs local policy
#
@@ -12541,7 +12646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -758,11 +1031,88 @@
+@@ -758,11 +1038,88 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -12633,23 +12738,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.7.10/policy/modules/services/apm.te
---- nsaserefpolicy/policy/modules/services/apm.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/apm.te 2010-02-23 15:54:38.000000000 -0500
-@@ -223,6 +223,10 @@
- unconfined_domain(apmd_t)
- ')
-
-+optional_policy(`
-+ vbetool_domtrans(apmd_t)
-+')
-+
- # cjp: related to sleep/resume (?)
- optional_policy(`
- xserver_domtrans(apmd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.10/policy/modules/services/arpwatch.te
---- nsaserefpolicy/policy/modules/services/arpwatch.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/arpwatch.te 2010-02-23 15:54:38.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.11/policy/modules/services/arpwatch.te
+--- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-03-04 11:17:25.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/arpwatch.te 2010-03-03 23:48:01.000000000 -0500
@@ -34,6 +34,7 @@
allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
allow arpwatch_t self:udp_socket create_socket_perms;
@@ -12675,9 +12766,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw
fs_getattr_all_fs(arpwatch_t)
fs_search_auto_mountpoints(arpwatch_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.10/policy/modules/services/asterisk.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.11/policy/modules/services/asterisk.if
--- nsaserefpolicy/policy/modules/services/asterisk.if 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/asterisk.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/asterisk.if 2010-03-03 23:48:01.000000000 -0500
@@ -2,8 +2,28 @@
#####################################
@@ -12756,9 +12847,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
+
+ can_exec($1, asterisk_exec_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.10/policy/modules/services/asterisk.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.11/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/asterisk.te 2010-03-01 10:50:26.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/asterisk.te 2010-03-03 23:48:01.000000000 -0500
@@ -40,12 +40,13 @@
#
@@ -12859,18 +12950,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
+ udev_read_db(asterisk_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.7.10/policy/modules/services/avahi.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.7.11/policy/modules/services/avahi.fc
--- nsaserefpolicy/policy/modules/services/avahi.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/avahi.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/avahi.fc 2010-03-03 23:48:01.000000000 -0500
@@ -6,4 +6,4 @@
/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
-/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
+/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.10/policy/modules/services/avahi.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.11/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/avahi.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/avahi.te 2010-03-03 23:48:01.000000000 -0500
@@ -24,7 +24,7 @@
# Local policy
#
@@ -12915,9 +13006,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_user_home_dirs(avahi_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.10/policy/modules/services/bind.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.11/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/bind.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/bind.if 2010-03-03 23:48:01.000000000 -0500
@@ -253,7 +253,7 @@
########################################
@@ -12962,9 +13053,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
domain_system_change_exemption($1)
role_transition $2 named_initrc_exec_t system_r;
allow $2 system_r;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.7.10/policy/modules/services/bind.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.7.11/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/bind.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/bind.te 2010-03-03 23:48:01.000000000 -0500
@@ -142,11 +142,11 @@
logging_send_syslog_msg(named_t)
@@ -12979,9 +13070,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.10/policy/modules/services/bluetooth.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.11/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/bluetooth.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/bluetooth.te 2010-03-03 23:48:01.000000000 -0500
@@ -96,6 +96,7 @@
kernel_read_system_state(bluetooth_t)
kernel_read_network_state(bluetooth_t)
@@ -12990,9 +13081,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
corenet_all_recvfrom_unlabeled(bluetooth_t)
corenet_all_recvfrom_netlabel(bluetooth_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.10/policy/modules/services/cachefilesd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.11/policy/modules/services/cachefilesd.fc
--- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/cachefilesd.fc 2010-02-26 15:11:32.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/cachefilesd.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,28 @@
+###############################################################################
+#
@@ -13022,9 +13113,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.10/policy/modules/services/cachefilesd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.11/policy/modules/services/cachefilesd.if
--- nsaserefpolicy/policy/modules/services/cachefilesd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/cachefilesd.if 2010-02-26 15:09:20.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/cachefilesd.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,41 @@
+###############################################################################
+#
@@ -13067,9 +13158,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
+ allow cachefilesd_t $1:fifo_file rw_file_perms;
+ allow cachefilesd_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.10/policy/modules/services/cachefilesd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.11/policy/modules/services/cachefilesd.te
--- nsaserefpolicy/policy/modules/services/cachefilesd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/cachefilesd.te 2010-02-26 15:09:20.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/cachefilesd.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,146 @@
+###############################################################################
+#
@@ -13217,9 +13308,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.10/policy/modules/services/ccs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.11/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 2010-02-16 14:58:22.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/ccs.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ccs.te 2010-03-03 23:48:01.000000000 -0500
@@ -114,5 +114,10 @@
')
@@ -13231,9 +13322,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.
+optional_policy(`
unconfined_use_fds(ccs_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.7.10/policy/modules/services/certmaster.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.7.11/policy/modules/services/certmaster.fc
--- nsaserefpolicy/policy/modules/services/certmaster.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/certmaster.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/certmaster.fc 2010-03-03 23:48:01.000000000 -0500
@@ -3,5 +3,6 @@
/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0)
@@ -13241,9 +13332,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+/var/lib/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_lib_t,s0)
/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0)
/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.10/policy/modules/services/certmonger.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.11/policy/modules/services/certmonger.fc
--- nsaserefpolicy/policy/modules/services/certmonger.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/certmonger.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/certmonger.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,6 @@
+/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
+
@@ -13251,9 +13342,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+
+/var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0)
+/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.10/policy/modules/services/certmonger.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.11/policy/modules/services/certmonger.if
--- nsaserefpolicy/policy/modules/services/certmonger.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/certmonger.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/certmonger.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,217 @@
+
+## Certificate status monitor and PKI enrollment client
@@ -13472,9 +13563,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+ files_search_pids($1)
+ admin_pattern($1, cermonger_var_run_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.10/policy/modules/services/certmonger.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.11/policy/modules/services/certmonger.te
--- nsaserefpolicy/policy/modules/services/certmonger.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/certmonger.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/certmonger.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,74 @@
+policy_module(certmonger,1.0.0)
+
@@ -13550,9 +13641,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+optional_policy(`
+ unconfined_dbus_send(certmonger_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.10/policy/modules/services/cgroup.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.11/policy/modules/services/cgroup.fc
--- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/cgroup.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/cgroup.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0)
+/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t, s0)
@@ -13561,9 +13652,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t, s0)
+
+/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.10/policy/modules/services/cgroup.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.11/policy/modules/services/cgroup.if
--- nsaserefpolicy/policy/modules/services/cgroup.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/cgroup.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/cgroup.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,35 @@
+## Control group rules engine daemon.
+##
@@ -13600,9 +13691,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+ stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.10/policy/modules/services/cgroup.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.11/policy/modules/services/cgroup.te
--- nsaserefpolicy/policy/modules/services/cgroup.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/cgroup.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/cgroup.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,87 @@
+policy_module(cgroup, 1.0.0)
+
@@ -13691,18 +13782,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+# /mnt/cgroups/cpu
+kernel_list_unlabeled(cgconfigparser_t)
+kernel_read_system_state(cgconfigparser_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.10/policy/modules/services/chronyd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.11/policy/modules/services/chronyd.fc
--- nsaserefpolicy/policy/modules/services/chronyd.fc 2010-02-16 14:58:22.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/chronyd.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/chronyd.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,3 +1,5 @@
+/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
+
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.10/policy/modules/services/chronyd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.11/policy/modules/services/chronyd.if
--- nsaserefpolicy/policy/modules/services/chronyd.if 2010-02-16 14:58:22.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/chronyd.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/chronyd.if 2010-03-03 23:48:01.000000000 -0500
@@ -77,7 +77,7 @@
gen_require(`
type chronyd_t, chronyd_var_log_t;
@@ -13721,9 +13812,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
logging_search_logs($1)
admin_pattern($1, chronyd_var_log_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.10/policy/modules/services/chronyd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.11/policy/modules/services/chronyd.te
--- nsaserefpolicy/policy/modules/services/chronyd.te 2010-02-16 14:58:22.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/chronyd.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/chronyd.te 2010-03-03 23:48:01.000000000 -0500
@@ -13,6 +13,9 @@
type chronyd_initrc_exec_t;
init_script_file(chronyd_initrc_exec_t)
@@ -13772,9 +13863,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
+optional_policy(`
+ gpsd_rw_shm(chronyd_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.10/policy/modules/services/clamav.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.11/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/clamav.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/clamav.te 2010-03-03 23:48:01.000000000 -0500
@@ -57,6 +57,7 @@
#
@@ -13798,17 +13889,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.10/policy/modules/services/clogd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.11/policy/modules/services/clogd.fc
--- nsaserefpolicy/policy/modules/services/clogd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/clogd.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/clogd.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0)
+
+/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.10/policy/modules/services/clogd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.11/policy/modules/services/clogd.if
--- nsaserefpolicy/policy/modules/services/clogd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/clogd.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/clogd.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,82 @@
+## clogd - clustered mirror log server
+
@@ -13892,9 +13983,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog
+ fs_search_tmpfs($1)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.10/policy/modules/services/clogd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.11/policy/modules/services/clogd.te
--- nsaserefpolicy/policy/modules/services/clogd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/clogd.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/clogd.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,65 @@
+
+policy_module(clogd,1.0.0)
@@ -13961,9 +14052,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.10/policy/modules/services/cobbler.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.11/policy/modules/services/cobbler.if
--- nsaserefpolicy/policy/modules/services/cobbler.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/cobbler.if 2010-02-28 10:20:18.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/cobbler.if 2010-03-03 23:48:01.000000000 -0500
@@ -162,6 +162,7 @@
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
@@ -13981,9 +14072,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
cobblerd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 cobblerd_initrc_exec_t system_r;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.10/policy/modules/services/cobbler.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.11/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/cobbler.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/cobbler.te 2010-03-03 23:48:01.000000000 -0500
@@ -40,6 +40,7 @@
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
allow cobblerd_t self:tcp_socket create_stream_socket_perms;
@@ -14014,9 +14105,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
+apache_content_template(cobbler)
+manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.10/policy/modules/services/consolekit.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.11/policy/modules/services/consolekit.fc
--- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/consolekit.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/consolekit.fc 2010-03-03 23:48:01.000000000 -0500
@@ -2,4 +2,5 @@
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
@@ -14024,9 +14115,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
-/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+
+/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.10/policy/modules/services/consolekit.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.11/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/consolekit.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/consolekit.if 2010-03-03 23:48:01.000000000 -0500
@@ -57,3 +57,42 @@
read_files_pattern($1, consolekit_log_t, consolekit_log_t)
files_search_pids($1)
@@ -14070,9 +14161,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+ read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.10/policy/modules/services/consolekit.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.11/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/consolekit.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/consolekit.te 2010-03-03 23:48:01.000000000 -0500
@@ -16,12 +16,15 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -14158,9 +14249,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+ unconfined_ptrace(consolekit_t)
unconfined_stream_connect(consolekit_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.10/policy/modules/services/corosync.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.11/policy/modules/services/corosync.fc
--- nsaserefpolicy/policy/modules/services/corosync.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/corosync.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/corosync.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,14 @@
+
+/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
@@ -14176,9 +14267,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.10/policy/modules/services/corosync.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.11/policy/modules/services/corosync.if
--- nsaserefpolicy/policy/modules/services/corosync.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/corosync.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/corosync.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,108 @@
+## SELinux policy for Corosync Cluster Engine
+
@@ -14288,9 +14379,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.10/policy/modules/services/corosync.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.11/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/corosync.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/corosync.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,115 @@
+
+policy_module(corosync,1.0.0)
@@ -14407,9 +14498,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+optional_policy(`
+ rgmanager_manage_tmpfs_files(corosync_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.10/policy/modules/services/cron.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.11/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/cron.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/cron.fc 2010-03-03 23:48:01.000000000 -0500
@@ -14,7 +14,7 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -14427,9 +14518,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.10/policy/modules/services/cron.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.11/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/cron.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/cron.if 2010-03-03 23:48:01.000000000 -0500
@@ -12,6 +12,10 @@
##
#
@@ -14580,9 +14671,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.10/policy/modules/services/cron.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.11/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/cron.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/cron.te 2010-03-03 23:48:01.000000000 -0500
@@ -38,8 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -14860,9 +14951,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
unconfined_domain(system_cronjob_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.10/policy/modules/services/cups.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.11/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/cups.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/cups.fc 2010-03-03 23:48:01.000000000 -0500
@@ -13,10 +13,14 @@
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
@@ -14909,9 +15000,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.10/policy/modules/services/cups.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.11/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/cups.te 2010-03-01 08:42:24.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/cups.te 2010-03-03 23:48:01.000000000 -0500
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -15158,9 +15249,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.10/policy/modules/services/cvs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.11/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/cvs.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/cvs.te 2010-03-03 23:48:01.000000000 -0500
@@ -93,6 +93,7 @@
auth_can_read_shadow_passwords(cvs_t)
tunable_policy(`allow_cvs_read_shadow',`
@@ -15175,9 +15266,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.10/policy/modules/services/cyrus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.11/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/cyrus.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/cyrus.te 2010-03-03 23:48:01.000000000 -0500
@@ -75,6 +75,7 @@
corenet_tcp_bind_mail_port(cyrus_t)
corenet_tcp_bind_lmtp_port(cyrus_t)
@@ -15194,9 +15285,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
snmp_read_snmp_var_lib_files(cyrus_t)
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.10/policy/modules/services/dbus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.11/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/dbus.if 2010-03-01 10:27:15.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/dbus.if 2010-03-03 23:48:01.000000000 -0500
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
@@ -15332,9 +15423,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+ manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.10/policy/modules/services/dbus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.11/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/dbus.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/dbus.te 2010-03-03 23:48:01.000000000 -0500
@@ -86,6 +86,7 @@
dev_read_sysfs(system_dbusd_t)
@@ -15393,9 +15484,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+ xserver_rw_xdm_pipes(session_bus_type)
+ xserver_append_xdm_home_files(session_bus_type)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.10/policy/modules/services/dcc.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.11/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/dcc.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/dcc.te 2010-03-03 23:48:01.000000000 -0500
@@ -81,7 +81,7 @@
# dcc daemon controller local policy
#
@@ -15405,9 +15496,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.
allow cdcc_t self:unix_dgram_socket create_socket_perms;
allow cdcc_t self:udp_socket create_socket_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.10/policy/modules/services/denyhosts.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.11/policy/modules/services/denyhosts.fc
--- nsaserefpolicy/policy/modules/services/denyhosts.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/denyhosts.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/denyhosts.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t, s0)
+
@@ -15416,9 +15507,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t, s0)
+/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t, s0)
+/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.10/policy/modules/services/denyhosts.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.11/policy/modules/services/denyhosts.if
--- nsaserefpolicy/policy/modules/services/denyhosts.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/denyhosts.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/denyhosts.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,90 @@
+## Deny Hosts.
+##
@@ -15510,9 +15601,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+ ps_process_pattern($1, denyhosts_t)
+ read_lnk_files_pattern($1, denyhosts_t, denyhosts_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.10/policy/modules/services/denyhosts.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.11/policy/modules/services/denyhosts.te
--- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/denyhosts.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/denyhosts.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,72 @@
+
+policy_module(denyhosts, 1.0.0)
@@ -15586,9 +15677,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+optional_policy(`
+ cron_system_entry(denyhosts_t, denyhosts_exec_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.10/policy/modules/services/devicekit.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.11/policy/modules/services/devicekit.fc
--- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/devicekit.fc 2010-02-25 14:52:32.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/devicekit.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,8 +1,12 @@
/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
@@ -15603,9 +15694,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
-/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.10/policy/modules/services/devicekit.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.11/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/devicekit.if 2010-02-25 14:53:23.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/devicekit.if 2010-03-03 23:48:01.000000000 -0500
@@ -139,6 +139,26 @@
########################################
@@ -15642,9 +15733,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
')
allow $1 devicekit_t:process { ptrace signal_perms getattr };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.10/policy/modules/services/devicekit.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.11/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/devicekit.te 2010-02-26 09:03:13.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/devicekit.te 2010-03-03 23:48:01.000000000 -0500
@@ -42,6 +42,8 @@
files_read_etc_files(devicekit_t)
@@ -15790,15 +15881,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
-@@ -151,6 +194,7 @@
+@@ -151,6 +194,8 @@
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
++kernel_search_debugfs(devicekit_power_t)
+kernel_write_proc_files(devicekit_power_t)
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
-@@ -159,7 +203,9 @@
+@@ -159,7 +204,9 @@
domain_read_all_domains_state(devicekit_power_t)
@@ -15808,7 +15900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
-@@ -167,12 +213,16 @@
+@@ -167,12 +214,17 @@
files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
@@ -15821,11 +15913,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
miscfiles_read_localization(devicekit_power_t)
+sysnet_read_config(devicekit_power_t)
++sysnet_domtrans_ifconfig(devicekit_power_t)
+
userdom_read_all_users_state(devicekit_power_t)
optional_policy(`
-@@ -180,6 +230,10 @@
+@@ -180,6 +232,10 @@
')
optional_policy(`
@@ -15836,7 +15929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -203,17 +257,23 @@
+@@ -203,17 +259,23 @@
optional_policy(`
hal_domtrans_mac(devicekit_power_t)
@@ -15860,9 +15953,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
+optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.10/policy/modules/services/dhcp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.11/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/dhcp.te 2010-02-28 10:19:25.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/dhcp.te 2010-03-03 23:48:01.000000000 -0500
@@ -112,6 +112,10 @@
')
@@ -15874,9 +15967,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
dbus_system_bus_client(dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.10/policy/modules/services/djbdns.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.11/policy/modules/services/djbdns.if
--- nsaserefpolicy/policy/modules/services/djbdns.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/djbdns.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/djbdns.if 2010-03-03 23:48:01.000000000 -0500
@@ -26,6 +26,8 @@
daemontools_read_svc(djbdns_$1_t)
@@ -15926,9 +16019,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd
+
+ allow $1 djbdns_tinydn_t:key link;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.10/policy/modules/services/djbdns.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.11/policy/modules/services/djbdns.te
--- nsaserefpolicy/policy/modules/services/djbdns.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/djbdns.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/djbdns.te 2010-03-03 23:48:01.000000000 -0500
@@ -42,3 +42,11 @@
files_search_var(djbdns_axfrdns_t)
@@ -15941,9 +16034,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd
+
+init_dontaudit_use_script_fds(djbdns_tinydns_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.10/policy/modules/services/dnsmasq.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.11/policy/modules/services/dnsmasq.fc
--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/dnsmasq.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/dnsmasq.fc 2010-03-03 23:48:01.000000000 -0500
@@ -6,5 +6,7 @@
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
@@ -15952,9 +16045,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
+
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.10/policy/modules/services/dnsmasq.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.11/policy/modules/services/dnsmasq.if
--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/dnsmasq.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/dnsmasq.if 2010-03-03 23:48:01.000000000 -0500
@@ -111,7 +111,7 @@
type dnsmasq_etc_t;
')
@@ -15973,9 +16066,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
files_search_etc($1)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.10/policy/modules/services/dnsmasq.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.11/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/dnsmasq.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/dnsmasq.te 2010-03-03 23:48:01.000000000 -0500
@@ -19,6 +19,9 @@
type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)
@@ -16031,9 +16124,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
seutil_sigchld_newrole(dnsmasq_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.10/policy/modules/services/dovecot.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.11/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/dovecot.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/dovecot.fc 2010-03-03 23:48:01.000000000 -0500
@@ -34,6 +34,7 @@
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
@@ -16042,9 +16135,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.10/policy/modules/services/dovecot.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.11/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/dovecot.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/dovecot.te 2010-03-03 23:48:01.000000000 -0500
@@ -73,14 +73,21 @@
can_exec(dovecot_t, dovecot_exec_t)
@@ -16155,23 +16248,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
fs_manage_cifs_files(dovecot_t)
fs_manage_cifs_symlinks(dovecot_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.10/policy/modules/services/exim.te
---- nsaserefpolicy/policy/modules/services/exim.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/exim.te 2010-02-23 15:54:38.000000000 -0500
-@@ -192,6 +192,10 @@
- ')
-
- optional_policy(`
-+ sendmail_manage_tmp_files(exim_t)
-+')
-+
-+optional_policy(`
- spamassassin_exec(exim_t)
- spamassassin_exec_client(exim_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.10/policy/modules/services/fail2ban.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.11/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/fail2ban.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/fail2ban.if 2010-03-03 23:48:01.000000000 -0500
@@ -98,6 +98,46 @@
allow $1 fail2ban_var_run_t:file read_file_perms;
')
@@ -16241,9 +16320,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
+
+ allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.10/policy/modules/services/fetchmail.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.11/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/fetchmail.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/fetchmail.te 2010-03-03 23:48:01.000000000 -0500
@@ -48,6 +48,7 @@
kernel_dontaudit_read_system_state(fetchmail_t)
@@ -16252,9 +16331,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc
corenet_all_recvfrom_unlabeled(fetchmail_t)
corenet_all_recvfrom_netlabel(fetchmail_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.10/policy/modules/services/fprintd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.11/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/fprintd.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/fprintd.te 2010-03-03 23:48:01.000000000 -0500
@@ -55,4 +55,6 @@
policykit_read_lib(fprintd_t)
policykit_dbus_chat(fprintd_t)
@@ -16262,9 +16341,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri
+ policykit_dbus_chat_auth(fprintd_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.7.10/policy/modules/services/ftp.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.7.11/policy/modules/services/ftp.fc
--- nsaserefpolicy/policy/modules/services/ftp.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/ftp.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ftp.fc 2010-03-03 23:48:01.000000000 -0500
@@ -22,7 +22,7 @@
#
# /var
@@ -16274,9 +16353,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.10/policy/modules/services/ftp.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.11/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/ftp.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ftp.if 2010-03-03 23:48:01.000000000 -0500
@@ -115,6 +115,44 @@
role $2 types ftpdctl_t;
')
@@ -16322,9 +16401,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
########################################
##
## All of the rules required to administrate
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.10/policy/modules/services/ftp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.11/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/ftp.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ftp.te 2010-03-03 23:48:01.000000000 -0500
@@ -41,11 +41,51 @@
##
@@ -16573,9 +16652,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
+ fs_read_nfs_files(sftpd_t)
+ fs_read_nfs_symlinks(ftpd_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.10/policy/modules/services/git.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.11/policy/modules/services/git.fc
--- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/git.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/git.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,3 +1,16 @@
-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
@@ -16596,9 +16675,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+
+/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.10/policy/modules/services/git.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.11/policy/modules/services/git.if
--- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/git.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/git.if 2010-03-03 23:48:01.000000000 -0500
@@ -1 +1,535 @@
-## GIT revision control system
+## Git - Fast Version Control System.
@@ -17136,9 +17215,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+ userdom_search_user_home_dirs($1)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.10/policy/modules/services/git.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.11/policy/modules/services/git.te
--- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/git.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/git.te 2010-03-03 23:48:01.000000000 -0500
@@ -1,9 +1,182 @@
-policy_module(git, 1.0)
@@ -17325,9 +17404,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
-apache_content_template(git)
+#git_role_template(git_shell)
+#gen_user(git_shell_u, user, git_shell_r, s0, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.10/policy/modules/services/gpsd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.11/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/gpsd.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/gpsd.te 2010-03-03 23:48:01.000000000 -0500
@@ -25,7 +25,7 @@
# gpsd local policy
#
@@ -17337,9 +17416,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd
allow gpsd_t self:process setsched;
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.10/policy/modules/services/hal.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.11/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/hal.te 2010-03-01 08:44:41.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/hal.te 2010-03-03 23:48:01.000000000 -0500
@@ -55,6 +55,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -17443,9 +17522,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
########################################
#
# Local hald dccm policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.10/policy/modules/services/howl.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.11/policy/modules/services/howl.te
--- nsaserefpolicy/policy/modules/services/howl.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/howl.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/howl.te 2010-03-03 23:48:01.000000000 -0500
@@ -30,7 +30,7 @@
kernel_read_network_state(howl_t)
@@ -17455,9 +17534,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl
kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.fc serefpolicy-3.7.10/policy/modules/services/icecast.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.fc serefpolicy-3.7.11/policy/modules/services/icecast.fc
--- nsaserefpolicy/policy/modules/services/icecast.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/icecast.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/icecast.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/icecast -- gen_context(system_u:object_r:icecast_initrc_exec_t,s0)
+
@@ -17466,9 +17545,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec
+/var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_log_t,s0)
+
+/var/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.10/policy/modules/services/icecast.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.11/policy/modules/services/icecast.if
--- nsaserefpolicy/policy/modules/services/icecast.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/icecast.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/icecast.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,199 @@
+
+## ShoutCast compatible streaming media server
@@ -17669,9 +17748,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec
+ icecast_manage_log($1)
+
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.10/policy/modules/services/icecast.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.11/policy/modules/services/icecast.te
--- nsaserefpolicy/policy/modules/services/icecast.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/icecast.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/icecast.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,59 @@
+policy_module(icecast,1.0.0)
+
@@ -17732,9 +17811,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec
+optional_policy(`
+ rtkit_daemon_system_domain(icecast_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.7.10/policy/modules/services/inn.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.7.11/policy/modules/services/inn.te
--- nsaserefpolicy/policy/modules/services/inn.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/inn.te 2010-03-01 09:16:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/inn.te 2010-03-03 23:48:01.000000000 -0500
@@ -106,6 +106,7 @@
userdom_dontaudit_use_unpriv_user_fds(innd_t)
@@ -17743,9 +17822,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.
mta_send_mail(innd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.10/policy/modules/services/kerberos.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.11/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/kerberos.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/kerberos.if 2010-03-03 23:48:01.000000000 -0500
@@ -74,7 +74,7 @@
')
@@ -17766,9 +17845,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
tunable_policy(`allow_kerberos',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.10/policy/modules/services/kerberos.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.11/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/kerberos.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/kerberos.te 2010-03-03 23:48:01.000000000 -0500
@@ -112,6 +112,7 @@
kernel_read_kernel_sysctls(kadmind_t)
@@ -17786,18 +17865,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
allow kpropd_t krb5_keytab_t:file read_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.10/policy/modules/services/ksmtuned.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.11/policy/modules/services/ksmtuned.fc
--- nsaserefpolicy/policy/modules/services/ksmtuned.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/ksmtuned.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ksmtuned.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
+
+/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
+
+/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.10/policy/modules/services/ksmtuned.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.11/policy/modules/services/ksmtuned.if
--- nsaserefpolicy/policy/modules/services/ksmtuned.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/ksmtuned.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ksmtuned.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,76 @@
+
+## policy for Kernel Samepage Merging (KSM) Tuning Daemon
@@ -17875,9 +17954,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
+ allow $2 system_r;
+
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.10/policy/modules/services/ksmtuned.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.11/policy/modules/services/ksmtuned.te
--- nsaserefpolicy/policy/modules/services/ksmtuned.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/ksmtuned.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ksmtuned.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,44 @@
+policy_module(ksmtuned,1.0.0)
+
@@ -17923,9 +18002,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
+files_read_etc_files(ksmtuned_t)
+
+miscfiles_read_localization(ksmtuned_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.10/policy/modules/services/ldap.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.11/policy/modules/services/ldap.fc
--- nsaserefpolicy/policy/modules/services/ldap.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/ldap.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ldap.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,8 +1,12 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
@@ -17952,9 +18031,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.10/policy/modules/services/ldap.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.11/policy/modules/services/ldap.if
--- nsaserefpolicy/policy/modules/services/ldap.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/ldap.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ldap.if 2010-03-03 23:48:01.000000000 -0500
@@ -1,5 +1,43 @@
## OpenLDAP directory server
@@ -17999,10 +18078,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
########################################
##
## Read the contents of the OpenLDAP
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.10/policy/modules/services/ldap.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.11/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/ldap.te 2010-02-23 15:54:38.000000000 -0500
-@@ -28,6 +28,9 @@
++++ serefpolicy-3.7.11/policy/modules/services/ldap.te 2010-03-03 23:48:01.000000000 -0500
+@@ -28,9 +28,15 @@
type slapd_replog_t;
files_type(slapd_replog_t)
@@ -18012,7 +18091,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
type slapd_tmp_t;
files_tmp_file(slapd_tmp_t)
-@@ -68,6 +71,10 @@
++type slapd_tmpfs_t;
++files_tmpfs_file(slapd_tmpfs_t)
++
+ type slapd_var_run_t;
+ files_pid_file(slapd_var_run_t)
+
+@@ -68,10 +74,17 @@
manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
@@ -18023,9 +18108,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.10/policy/modules/services/lircd.te
+
++manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
++fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t,file)
++
+ manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
+ manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
+ files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file })
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.11/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/lircd.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/lircd.te 2010-03-03 23:48:01.000000000 -0500
@@ -24,8 +24,11 @@
# lircd local policy
#
@@ -18074,9 +18166,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
+
+sysnet_dns_name_resolve(lircd_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.7.10/policy/modules/services/mailman.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.7.11/policy/modules/services/mailman.fc
--- nsaserefpolicy/policy/modules/services/mailman.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/mailman.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/mailman.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,4 +1,4 @@
-/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
@@ -18098,9 +18190,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.10/policy/modules/services/memcached.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.11/policy/modules/services/memcached.te
--- nsaserefpolicy/policy/modules/services/memcached.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/memcached.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/memcached.te 2010-03-03 23:48:01.000000000 -0500
@@ -22,9 +22,12 @@
#
@@ -18131,9 +18223,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc
+term_dontaudit_use_all_ptys(memcached_t)
+term_dontaudit_use_all_ttys(memcached_t)
+term_dontaudit_use_console(memcached_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.10/policy/modules/services/modemmanager.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.11/policy/modules/services/modemmanager.te
--- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/modemmanager.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/modemmanager.te 2010-03-03 23:48:01.000000000 -0500
@@ -16,8 +16,8 @@
#
# ModemManager local policy
@@ -18153,9 +18245,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode
term_use_unallocated_ttys(modemmanager_t)
miscfiles_read_localization(modemmanager_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.10/policy/modules/services/mta.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.11/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/mta.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/mta.fc 2010-03-03 23:48:01.000000000 -0500
@@ -13,6 +13,8 @@
/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -18165,9 +18257,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.10/policy/modules/services/mta.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.11/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/mta.if 2010-02-26 14:53:51.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/mta.if 2010-03-03 23:48:01.000000000 -0500
@@ -220,6 +220,25 @@
application_executable_file($1)
')
@@ -18283,9 +18375,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
## Read the mail queue.
##
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.10/policy/modules/services/mta.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.11/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/mta.te 2010-02-25 08:06:42.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/mta.te 2010-03-03 23:48:01.000000000 -0500
@@ -63,6 +63,9 @@
can_exec(system_mail_t, mta_exec_type)
@@ -18359,9 +18451,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.10/policy/modules/services/munin.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.11/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/munin.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/munin.fc 2010-03-03 23:48:01.000000000 -0500
@@ -9,3 +9,6 @@
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
@@ -18369,9 +18461,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.10/policy/modules/services/munin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.11/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/munin.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/munin.te 2010-03-03 23:48:01.000000000 -0500
@@ -33,7 +33,7 @@
# Local policy
#
@@ -18413,9 +18505,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.10/policy/modules/services/mysql.if
---- nsaserefpolicy/policy/modules/services/mysql.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/mysql.if 2010-02-23 15:54:38.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.11/policy/modules/services/mysql.if
+--- nsaserefpolicy/policy/modules/services/mysql.if 2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/mysql.if 2010-03-03 23:48:01.000000000 -0500
@@ -1,5 +1,43 @@
## Policy for MySQL
@@ -18460,12 +18552,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
########################################
##
## Send a generic signal to MySQL.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.10/policy/modules/services/mysql.te
---- nsaserefpolicy/policy/modules/services/mysql.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/mysql.te 2010-02-23 15:54:38.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.11/policy/modules/services/mysql.te
+--- nsaserefpolicy/policy/modules/services/mysql.te 2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/mysql.te 2010-03-03 23:48:01.000000000 -0500
@@ -1,6 +1,13 @@
- policy_module(mysql, 1.11.1)
+ policy_module(mysql, 1.11.2)
+##
+##
@@ -18477,7 +18569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
########################################
#
# Declarations
-@@ -37,7 +44,7 @@
+@@ -47,7 +54,7 @@
# Local policy
#
@@ -18486,7 +18578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
-@@ -109,6 +116,11 @@
+@@ -120,6 +127,11 @@
# for /root/.my.cnf - should not be needed:
userdom_read_user_home_content_files(mysqld_t)
@@ -18498,7 +18590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
ifdef(`distro_redhat',`
# because Fedora has the sock_file in the database directory
type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
-@@ -131,20 +143,26 @@
+@@ -142,20 +154,26 @@
# Local mysqld_safe policy
#
@@ -18527,7 +18619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
dev_list_sysfs(mysqld_safe_t)
-@@ -158,6 +176,7 @@
+@@ -169,6 +187,7 @@
miscfiles_read_localization(mysqld_safe_t)
mysql_manage_db_files(mysqld_safe_t)
@@ -18535,9 +18627,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
mysql_read_config(mysqld_safe_t)
mysql_search_pid_files(mysqld_safe_t)
mysql_write_log(mysqld_safe_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.10/policy/modules/services/nagios.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.11/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/nagios.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/nagios.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,16 +1,89 @@
/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
@@ -18633,9 +18725,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+
+# unconfined plugins
+/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.10/policy/modules/services/nagios.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.11/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/nagios.if 2010-02-26 15:37:58.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/nagios.if 2010-03-03 23:48:01.000000000 -0500
@@ -64,8 +64,8 @@
########################################
@@ -18799,9 +18891,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+
+ admin_pattern($1, nrpe_etc_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.10/policy/modules/services/nagios.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.11/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/nagios.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/nagios.te 2010-03-03 23:48:01.000000000 -0500
@@ -6,17 +6,23 @@
# Declarations
#
@@ -19186,9 +19278,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+optional_policy(`
+ init_read_utmp(nagios_system_plugin_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.10/policy/modules/services/networkmanager.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.11/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/networkmanager.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/networkmanager.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,12 +1,32 @@
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0)
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -19222,9 +19314,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.10/policy/modules/services/networkmanager.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.11/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/networkmanager.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/networkmanager.if 2010-03-03 23:48:01.000000000 -0500
@@ -118,6 +118,24 @@
########################################
@@ -19301,9 +19393,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+ role $2 types NetworkManager_t;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.10/policy/modules/services/networkmanager.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.11/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/networkmanager.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/networkmanager.te 2010-03-03 23:48:01.000000000 -0500
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -19547,9 +19639,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.10/policy/modules/services/nis.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.11/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/nis.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/nis.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,4 +1,7 @@
-
+/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
@@ -19568,9 +19660,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
+/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
+/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
+/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.10/policy/modules/services/nis.if
---- nsaserefpolicy/policy/modules/services/nis.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/nis.if 2010-02-23 15:54:38.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.11/policy/modules/services/nis.if
+--- nsaserefpolicy/policy/modules/services/nis.if 2010-03-03 23:26:37.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/nis.if 2010-03-03 23:48:01.000000000 -0500
@@ -28,7 +28,7 @@
type var_yp_t;
')
@@ -19580,7 +19672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
-@@ -76,6 +76,10 @@
+@@ -88,6 +88,10 @@
##
#
interface(`nis_use_ypbind',`
@@ -19591,16 +19683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
tunable_policy(`allow_ypbind',`
nis_use_ypbind_uncond($1)
')
-@@ -87,7 +91,7 @@
- ##
- ##
- ##
--## Domain allowed access.
-+## The type of the process performing this action.
- ##
- ##
- ##
-@@ -262,6 +266,43 @@
+@@ -274,6 +278,43 @@
########################################
##
@@ -19644,29 +19727,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
## All of the rules required to administrate
## an nis environment
##
-@@ -272,16 +313,19 @@
- ##
- ##
- ##
--## Role allowed access.
-+## The role to be allowed to manage the nis domain.
- ##
- ##
- ##
- #
- interface(`nis_admin',`
- gen_require(`
-- type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
-+ type ypbind_t, yppasswdd_t;
-+ type ypserv_t, ypxfr_t;
+@@ -294,6 +335,7 @@
+ type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
-+ type ypbind_initrc_exec_t;
-+ type nis_initrc_exec_t;
++ type ypbind_initrc_exec_t, nis_initrc_exec_t;
')
allow $1 ypbind_t:process { ptrace signal_perms };
-@@ -296,6 +340,13 @@
+@@ -308,6 +350,13 @@
allow $1 ypxfr_t:process { ptrace signal_perms };
ps_process_pattern($1, ypxfr_t)
@@ -19680,7 +19749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
files_list_tmp($1)
admin_pattern($1, ypbind_tmp_t)
-@@ -311,3 +362,31 @@
+@@ -323,3 +372,30 @@
admin_pattern($1, ypserv_var_run_t)
')
@@ -19711,10 +19780,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
+ nis_domtrans_ypbind($1)
+ role $2 types ypbind_t;
+')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.10/policy/modules/services/nis.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.11/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/nis.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/nis.te 2010-03-03 23:48:01.000000000 -0500
@@ -13,6 +13,9 @@
type ypbind_exec_t;
init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -19786,9 +19854,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
corenet_tcp_bind_all_rpc_ports(ypxfr_t)
corenet_udp_bind_all_rpc_ports(ypxfr_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.10/policy/modules/services/nscd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.11/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/nscd.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/nscd.if 2010-03-03 23:48:01.000000000 -0500
@@ -121,6 +121,24 @@
########################################
@@ -19823,9 +19891,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.10/policy/modules/services/nscd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.11/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/nscd.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/nscd.te 2010-03-03 23:48:01.000000000 -0500
@@ -1,10 +1,17 @@
-policy_module(nscd, 1.10.0)
@@ -19870,9 +19938,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
+optional_policy(`
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.10/policy/modules/services/ntop.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.11/policy/modules/services/ntop.fc
--- nsaserefpolicy/policy/modules/services/ntop.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/ntop.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ntop.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,7 +1,6 @@
/etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0)
@@ -19881,9 +19949,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop
/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0)
/var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.10/policy/modules/services/ntop.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.11/policy/modules/services/ntop.te
--- nsaserefpolicy/policy/modules/services/ntop.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/ntop.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ntop.te 2010-03-03 23:48:01.000000000 -0500
@@ -11,12 +11,12 @@
init_daemon_domain(ntop_t, ntop_exec_t)
application_domain(ntop_t, ntop_exec_t)
@@ -19974,9 +20042,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop
seutil_sigchld_newrole(ntop_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.10/policy/modules/services/ntp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.11/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/ntp.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ntp.te 2010-03-03 23:48:01.000000000 -0500
@@ -100,6 +100,8 @@
fs_getattr_all_fs(ntpd_t)
@@ -19986,9 +20054,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
term_use_ptmx(ntpd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.10/policy/modules/services/nut.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.11/policy/modules/services/nut.te
--- nsaserefpolicy/policy/modules/services/nut.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/nut.te 2010-02-26 08:33:54.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/nut.te 2010-03-03 23:48:01.000000000 -0500
@@ -29,7 +29,8 @@
# Local policy for upsd
#
@@ -20031,9 +20099,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.
+
+ sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.10/policy/modules/services/nx.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.11/policy/modules/services/nx.fc
--- nsaserefpolicy/policy/modules/services/nx.fc 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/nx.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/nx.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,7 +1,15 @@
/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
@@ -20052,9 +20120,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.f
+/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+
/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.10/policy/modules/services/nx.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.11/policy/modules/services/nx.if
--- nsaserefpolicy/policy/modules/services/nx.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/nx.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/nx.if 2010-03-03 23:48:01.000000000 -0500
@@ -17,3 +17,70 @@
spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
@@ -20126,9 +20194,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.i
+
+ filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.10/policy/modules/services/nx.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.11/policy/modules/services/nx.te
--- nsaserefpolicy/policy/modules/services/nx.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/nx.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/nx.te 2010-03-03 23:48:01.000000000 -0500
@@ -25,6 +25,12 @@
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
@@ -20163,9 +20231,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.t
kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.10/policy/modules/services/oddjob.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.11/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/oddjob.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/oddjob.if 2010-03-03 23:48:01.000000000 -0500
@@ -44,6 +44,7 @@
')
@@ -20174,9 +20242,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.10/policy/modules/services/oddjob.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.11/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/oddjob.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/oddjob.te 2010-03-03 23:48:01.000000000 -0500
@@ -100,8 +100,7 @@
# Add/remove user home directories
@@ -20188,9 +20256,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content(oddjob_mkhomedir_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.10/policy/modules/services/openvpn.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.11/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/openvpn.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/openvpn.te 2010-03-03 23:48:01.000000000 -0500
@@ -41,7 +41,7 @@
# openvpn local policy
#
@@ -20226,9 +20294,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
sysnet_etc_filetrans_config(openvpn_t)
userdom_use_user_terminals(openvpn_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.10/policy/modules/services/pcscd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.11/policy/modules/services/pcscd.if
--- nsaserefpolicy/policy/modules/services/pcscd.if 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/pcscd.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/pcscd.if 2010-03-03 23:48:01.000000000 -0500
@@ -39,6 +39,44 @@
########################################
@@ -20274,9 +20342,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc
## Connect to pcscd over an unix stream socket.
##
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.10/policy/modules/services/pegasus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.11/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/pegasus.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/pegasus.te 2010-03-03 23:48:01.000000000 -0500
@@ -30,7 +30,7 @@
# Local policy
#
@@ -20348,9 +20416,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
+ xen_stream_connect(pegasus_t)
+ xen_stream_connect_xenstore(pegasus_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.10/policy/modules/services/plymouthd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.11/policy/modules/services/plymouthd.fc
--- nsaserefpolicy/policy/modules/services/plymouthd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/plymouthd.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/plymouthd.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,9 @@
+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0)
+
@@ -20361,9 +20429,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
+/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t, s0)
+
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.10/policy/modules/services/plymouthd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.11/policy/modules/services/plymouthd.if
--- nsaserefpolicy/policy/modules/services/plymouthd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/plymouthd.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/plymouthd.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,322 @@
+## policy for plymouthd
+
@@ -20687,9 +20755,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
+
+ allow $1 plymouthd_t:unix_stream_socket connectto;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.10/policy/modules/services/plymouthd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.11/policy/modules/services/plymouthd.te
--- nsaserefpolicy/policy/modules/services/plymouthd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/plymouthd.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/plymouthd.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,105 @@
+policy_module(plymouthd, 1.0.0)
+
@@ -20796,9 +20864,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
+ hal_dontaudit_rw_pipes(plymouth_t)
+')
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.10/policy/modules/services/policykit.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.11/policy/modules/services/policykit.fc
--- nsaserefpolicy/policy/modules/services/policykit.fc 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/policykit.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/policykit.fc 2010-03-03 23:48:01.000000000 -0500
@@ -6,10 +6,13 @@
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
@@ -20814,9 +20882,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.10/policy/modules/services/policykit.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.11/policy/modules/services/policykit.if
--- nsaserefpolicy/policy/modules/services/policykit.if 2009-08-18 18:39:50.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/policykit.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/policykit.if 2010-03-03 23:48:01.000000000 -0500
@@ -17,12 +17,37 @@
class dbus send_msg;
')
@@ -20913,9 +20981,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
+
+ allow $1 policykit_auth_t:process signal;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.10/policy/modules/services/policykit.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.11/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/policykit.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/policykit.te 2010-03-03 23:48:01.000000000 -0500
@@ -36,11 +36,12 @@
# policykit local policy
#
@@ -20948,7 +21016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
auth_use_nsswitch(policykit_t)
-@@ -68,21 +73,42 @@
+@@ -68,21 +73,43 @@
miscfiles_read_localization(policykit_t)
@@ -20981,7 +21049,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
-allow policykit_auth_t self:process getattr;
-allow policykit_auth_t self:fifo_file rw_file_perms;
+allow policykit_auth_t self:capability { setgid setuid };
-+allow policykit_auth_t self:process { getattr getsched };
++dontaudit policykit_auth_t self:capability sys_tty_config;
++allow policykit_auth_t self:process { getattr getsched signal };
+allow policykit_auth_t self:fifo_file rw_fifo_file_perms;
+
allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
@@ -20995,7 +21064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -92,21 +118,29 @@
+@@ -92,21 +119,29 @@
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@@ -21027,7 +21096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -119,6 +153,14 @@
+@@ -119,6 +154,14 @@
hal_read_state(policykit_auth_t)
')
@@ -21042,7 +21111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
########################################
#
# polkit_grant local policy
-@@ -126,7 +168,8 @@
+@@ -126,7 +169,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -21052,7 +21121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -156,9 +199,12 @@
+@@ -156,9 +200,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -21066,7 +21135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -170,7 +216,8 @@
+@@ -170,7 +217,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -21076,9 +21145,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.10/policy/modules/services/portreserve.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.11/policy/modules/services/portreserve.te
--- nsaserefpolicy/policy/modules/services/portreserve.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/portreserve.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/portreserve.te 2010-03-03 23:48:01.000000000 -0500
@@ -21,6 +21,7 @@
# Portreserve local policy
#
@@ -21096,9 +21165,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
corenet_all_recvfrom_unlabeled(portreserve_t)
corenet_all_recvfrom_netlabel(portreserve_t)
corenet_tcp_bind_generic_node(portreserve_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.10/policy/modules/services/postfix.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.11/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/postfix.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/postfix.fc 2010-03-03 23:48:01.000000000 -0500
@@ -29,12 +29,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -21112,9 +21181,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.10/policy/modules/services/postfix.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.11/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/postfix.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/postfix.if 2010-03-03 23:48:01.000000000 -0500
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -21409,9 +21478,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+ role $2 types postfix_postdrop_t;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.10/policy/modules/services/postfix.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.11/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/postfix.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/postfix.te 2010-03-03 23:48:01.000000000 -0500
@@ -6,6 +6,15 @@
# Declarations
#
@@ -21812,9 +21881,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.10/policy/modules/services/postgresql.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.11/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/postgresql.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/postgresql.fc 2010-03-03 23:48:01.000000000 -0500
@@ -3,6 +3,7 @@
#
/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
@@ -21841,9 +21910,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.10/policy/modules/services/postgresql.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.11/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/postgresql.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/postgresql.if 2010-03-03 23:48:01.000000000 -0500
@@ -125,6 +125,23 @@
typeattribute $1 sepgsql_table_type;
')
@@ -21868,9 +21937,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
##
## Marks as a SE-PostgreSQL system table/column/tuple object type
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.10/policy/modules/services/postgresql.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.11/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/postgresql.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/postgresql.te 2010-03-03 23:48:01.000000000 -0500
@@ -150,6 +150,7 @@
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
allow postgresql_t self:process signal_perms;
@@ -21905,9 +21974,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
miscfiles_read_localization(postgresql_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.7.10/policy/modules/services/ppp.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.7.11/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/ppp.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ppp.fc 2010-03-03 23:48:01.000000000 -0500
@@ -3,6 +3,7 @@
#
/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
@@ -21916,9 +21985,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.10/policy/modules/services/ppp.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.11/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/ppp.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ppp.if 2010-03-03 23:48:01.000000000 -0500
@@ -182,6 +182,10 @@
ppp_domtrans($1)
role $2 types pppd_t;
@@ -21930,9 +21999,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.10/policy/modules/services/ppp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.11/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/ppp.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ppp.te 2010-03-03 23:48:01.000000000 -0500
@@ -71,9 +71,9 @@
# PPPD Local policy
#
@@ -21970,9 +22039,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
optional_policy(`
consoletype_exec(pppd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.10/policy/modules/services/prelude.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.11/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/prelude.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/prelude.te 2010-03-03 23:48:01.000000000 -0500
@@ -90,6 +90,7 @@
corenet_tcp_bind_prelude_port(prelude_t)
corenet_tcp_connect_prelude_port(prelude_t)
@@ -21990,9 +22059,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
fs_rw_anon_inodefs_files(prelude_lml_t)
auth_use_nsswitch(prelude_lml_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.10/policy/modules/services/procmail.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.11/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/procmail.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/procmail.te 2010-03-03 23:48:01.000000000 -0500
@@ -22,7 +22,7 @@
# Local policy
#
@@ -22040,9 +22109,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.10/policy/modules/services/pyzor.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.11/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/pyzor.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/pyzor.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,6 +1,10 @@
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
@@ -22054,9 +22123,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.10/policy/modules/services/pyzor.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.11/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/pyzor.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/pyzor.if 2010-03-03 23:48:01.000000000 -0500
@@ -88,3 +88,50 @@
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
@@ -22108,9 +22177,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.10/policy/modules/services/pyzor.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.11/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/pyzor.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/pyzor.te 2010-03-03 23:48:01.000000000 -0500
@@ -6,6 +6,38 @@
# Declarations
#
@@ -22175,9 +22244,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.10/policy/modules/services/radvd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.11/policy/modules/services/radvd.te
--- nsaserefpolicy/policy/modules/services/radvd.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/radvd.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/radvd.te 2010-03-03 23:48:01.000000000 -0500
@@ -22,9 +22,9 @@
#
# Local policy
@@ -22213,17 +22282,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radv
seutil_sigchld_newrole(radvd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.10/policy/modules/services/razor.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.11/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/razor.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/razor.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,3 +1,4 @@
+/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.10/policy/modules/services/razor.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.11/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/razor.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/razor.if 2010-03-03 23:48:01.000000000 -0500
@@ -157,3 +157,45 @@
domtrans_pattern($1, razor_exec_t, razor_t)
@@ -22270,9 +22339,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.10/policy/modules/services/razor.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.11/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/razor.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/razor.te 2010-03-03 23:48:01.000000000 -0500
@@ -6,6 +6,32 @@
# Declarations
#
@@ -22324,9 +22393,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
+')
+
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.10/policy/modules/services/rdisc.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.11/policy/modules/services/rdisc.if
--- nsaserefpolicy/policy/modules/services/rdisc.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/rdisc.if 2010-02-26 08:34:00.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/rdisc.if 2010-03-03 23:48:01.000000000 -0500
@@ -1 +1,20 @@
## Network router discovery daemon
+
@@ -22348,9 +22417,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdis
+ corecmd_search_bin($1)
+ can_exec($1,rdisc_exec_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.10/policy/modules/services/rgmanager.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.11/policy/modules/services/rgmanager.fc
--- nsaserefpolicy/policy/modules/services/rgmanager.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/rgmanager.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/rgmanager.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,8 @@
+
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
@@ -22360,9 +22429,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.10/policy/modules/services/rgmanager.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.11/policy/modules/services/rgmanager.if
--- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/rgmanager.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/rgmanager.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,98 @@
+## SELinux policy for rgmanager
+
@@ -22462,9 +22531,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+ manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
+ manage_lnk_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.10/policy/modules/services/rgmanager.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.11/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/rgmanager.te 2010-02-26 11:53:19.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/rgmanager.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,223 @@
+
+policy_module(rgmanager,1.0.0)
@@ -22689,9 +22758,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+optional_policy(`
+ xen_domtrans_xm(rgmanager_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.10/policy/modules/services/rhcs.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.11/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/rhcs.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/rhcs.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,23 @@
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
@@ -22716,9 +22785,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.10/policy/modules/services/rhcs.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.11/policy/modules/services/rhcs.if
--- nsaserefpolicy/policy/modules/services/rhcs.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/rhcs.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/rhcs.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,424 @@
+## SELinux policy for RHCS - Red Hat Cluster Suite
+
@@ -23144,9 +23213,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.10/policy/modules/services/rhcs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.11/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/rhcs.te 2010-02-26 11:55:16.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/rhcs.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,248 @@
+
+policy_module(rhcs,1.1.0)
@@ -23396,9 +23465,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+optional_policy(`
+ corosync_stream_connect(cluster_domain)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.10/policy/modules/services/ricci.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.11/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/ricci.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ricci.te 2010-03-04 09:03:39.000000000 -0500
@@ -194,10 +194,13 @@
# ricci_modcluster local policy
#
@@ -23437,7 +23506,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
# XXX This has got to go.
unconfined_domain(ricci_modcluster_t)
')
-@@ -264,6 +276,7 @@
+@@ -259,11 +271,11 @@
+ allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
+ allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
+ allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
+-allow ricci_modclusterd_t self:netlink_route_socket r_netlink_socket_perms;
+ # cjp: this needs to be fixed for a specific socket type:
allow ricci_modclusterd_t self:socket create_socket_perms;
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
@@ -23445,18 +23519,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
# log files
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
-@@ -306,12 +319,21 @@
- sysnet_dns_name_resolve(ricci_modclusterd_t)
+@@ -294,6 +306,8 @@
- optional_policy(`
-+ aisexec_stream_connect(ricci_modclusterd_t)
-+ corosync_stream_connect(ricci_modclusterd_t)
-+')
+ fs_getattr_xattr_fs(ricci_modclusterd_t)
+
++auth_use_nsswitch(ricci_modclusterd_t)
++
+ init_stream_connect_script(ricci_modclusterd_t)
+
+ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
+@@ -303,7 +317,11 @@
+ miscfiles_read_localization(ricci_modclusterd_t)
+
+ sysnet_domtrans_ifconfig(ricci_modclusterd_t)
+-sysnet_dns_name_resolve(ricci_modclusterd_t)
+
+optional_policy(`
++ aisexec_stream_connect(ricci_modclusterd_t)
++ corosync_stream_connect(ricci_modclusterd_t)
++')
+
+ optional_policy(`
ccs_domtrans(ricci_modclusterd_t)
- ccs_stream_connect(ricci_modclusterd_t)
- ccs_read_config(ricci_modclusterd_t)
+@@ -312,6 +330,10 @@
')
optional_policy(`
@@ -23491,9 +23576,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
ccs_stream_connect(ricci_modstorage_t)
ccs_read_config(ricci_modstorage_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.10/policy/modules/services/rpc.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.11/policy/modules/services/rpc.fc
--- nsaserefpolicy/policy/modules/services/rpc.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/rpc.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/rpc.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,6 +1,10 @@
#
# /etc
@@ -23505,9 +23590,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.10/policy/modules/services/rpc.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.11/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/rpc.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/rpc.if 2010-03-03 23:48:01.000000000 -0500
@@ -54,7 +54,7 @@
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
@@ -23601,9 +23686,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ allow $1 var_lib_nfs_t:file { relabelfrom relabelto };
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.10/policy/modules/services/rpc.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.11/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/rpc.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/rpc.te 2010-03-03 23:48:01.000000000 -0500
@@ -8,7 +8,7 @@
##
@@ -23738,9 +23823,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.10/policy/modules/services/rsync.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.11/policy/modules/services/rsync.if
--- nsaserefpolicy/policy/modules/services/rsync.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/rsync.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/rsync.if 2010-03-03 23:48:01.000000000 -0500
@@ -119,7 +119,7 @@
type rsync_etc_t;
')
@@ -23758,9 +23843,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
+ write_files_pattern($1, rsync_etc_t, rsync_etc_t)
files_search_etc($1)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.10/policy/modules/services/rsync.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.11/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/rsync.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/rsync.te 2010-03-03 23:48:01.000000000 -0500
@@ -8,6 +8,13 @@
##
@@ -23812,9 +23897,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
+')
+
auth_can_read_shadow_passwords(rsync_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.10/policy/modules/services/rtkit.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.11/policy/modules/services/rtkit.if
--- nsaserefpolicy/policy/modules/services/rtkit.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/rtkit.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/rtkit.if 2010-03-03 23:48:01.000000000 -0500
@@ -38,3 +38,23 @@
allow $1 rtkit_daemon_t:dbus send_msg;
allow rtkit_daemon_t $1:dbus send_msg;
@@ -23839,9 +23924,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki
+ allow rtkit_daemon_t $1:process { getsched setsched };
+ rtkit_daemon_dbus_chat($1)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.10/policy/modules/services/rtkit.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.11/policy/modules/services/rtkit.te
--- nsaserefpolicy/policy/modules/services/rtkit.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/rtkit.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/rtkit.te 2010-03-03 23:48:01.000000000 -0500
@@ -17,9 +17,11 @@
allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
@@ -23863,9 +23948,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki
optional_policy(`
policykit_dbus_chat(rtkit_daemon_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.10/policy/modules/services/samba.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.11/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/samba.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/samba.fc 2010-03-03 23:48:01.000000000 -0500
@@ -51,3 +51,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
@@ -23874,9 +23959,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+ifndef(`enable_mls',`
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.10/policy/modules/services/samba.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.11/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/samba.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/samba.if 2010-03-03 23:48:01.000000000 -0500
@@ -62,6 +62,25 @@
########################################
@@ -24090,9 +24175,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.10/policy/modules/services/samba.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.11/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/samba.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/samba.te 2010-03-03 23:48:01.000000000 -0500
@@ -66,6 +66,13 @@
##
gen_tunable(samba_share_nfs, false)
@@ -24316,16 +24401,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t smbd_exec_t:file mmap_file_perms ;
allow swat_t smbd_t:process signull;
-@@ -657,7 +695,7 @@
+@@ -657,7 +695,8 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
-can_exec(swat_t, winbind_exec_t)
+domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
++allow swat_t winbind_t:process { signal signull };
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -700,6 +738,8 @@
+@@ -700,6 +739,8 @@
miscfiles_read_localization(swat_t)
@@ -24334,7 +24420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -713,12 +753,23 @@
+@@ -713,12 +754,23 @@
kerberos_use(swat_t)
')
@@ -24359,7 +24445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
-@@ -779,6 +830,9 @@
+@@ -779,6 +831,9 @@
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -24369,7 +24455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
-@@ -788,7 +842,7 @@
+@@ -788,7 +843,7 @@
auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
@@ -24378,7 +24464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
domain_use_interactive_fds(winbind_t)
-@@ -866,6 +920,18 @@
+@@ -866,6 +921,18 @@
#
optional_policy(`
@@ -24397,7 +24483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -876,9 +942,12 @@
+@@ -876,9 +943,12 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -24411,9 +24497,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+',`
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.10/policy/modules/services/sasl.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.11/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/sasl.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/sasl.te 2010-03-03 23:48:01.000000000 -0500
@@ -31,7 +31,7 @@
# Local policy
#
@@ -24476,9 +24562,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
seutil_sigchld_newrole(saslauthd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.10/policy/modules/services/sendmail.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.11/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/sendmail.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/sendmail.if 2010-03-03 23:48:01.000000000 -0500
@@ -277,3 +277,22 @@
sendmail_domtrans_unconfined($1)
role $2 types unconfined_sendmail_t;
@@ -24502,9 +24588,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+ domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.10/policy/modules/services/sendmail.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.11/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/sendmail.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/sendmail.te 2010-03-03 23:48:01.000000000 -0500
@@ -30,7 +30,7 @@
#
@@ -24583,18 +24669,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+ unconfined_domain_noaudit(unconfined_sendmail_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.10/policy/modules/services/setroubleshoot.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.11/policy/modules/services/setroubleshoot.fc
--- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/setroubleshoot.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/setroubleshoot.fc 2010-03-03 23:48:01.000000000 -0500
@@ -5,3 +5,5 @@
/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
+
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.10/policy/modules/services/setroubleshoot.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.11/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/setroubleshoot.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/setroubleshoot.if 2010-03-03 23:48:01.000000000 -0500
@@ -16,8 +16,8 @@
')
@@ -24732,9 +24818,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+ files_list_pids($1)
+ admin_pattern($1, setroubleshoot_var_run_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.10/policy/modules/services/setroubleshoot.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.11/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/setroubleshoot.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/setroubleshoot.te 2010-03-03 23:48:01.000000000 -0500
@@ -22,13 +22,19 @@
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
@@ -24880,9 +24966,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+ policykit_dbus_chat(setroubleshoot_fixit_t)
+ userdom_read_all_users_state(setroubleshoot_fixit_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.fc serefpolicy-3.7.10/policy/modules/services/smokeping.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.fc serefpolicy-3.7.11/policy/modules/services/smokeping.fc
--- nsaserefpolicy/policy/modules/services/smokeping.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/smokeping.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/smokeping.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,12 @@
+
+/etc/rc\.d/init\.d/smokeping -- gen_context(system_u:object_r:smokeping_initrc_exec_t,s0)
@@ -24896,9 +24982,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok
+/var/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0)
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.if serefpolicy-3.7.10/policy/modules/services/smokeping.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.if serefpolicy-3.7.11/policy/modules/services/smokeping.if
--- nsaserefpolicy/policy/modules/services/smokeping.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/smokeping.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/smokeping.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,193 @@
+
+## policy for smokeping
@@ -25093,9 +25179,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok
+ smokeping_manage_var_lib($1)
+
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.7.10/policy/modules/services/smokeping.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.7.11/policy/modules/services/smokeping.te
--- nsaserefpolicy/policy/modules/services/smokeping.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/smokeping.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/smokeping.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,81 @@
+
+policy_module(smokeping,1.0.0)
@@ -25178,9 +25264,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok
+
+ sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.10/policy/modules/services/snmp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.11/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/snmp.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/snmp.te 2010-03-03 23:48:01.000000000 -0500
@@ -25,7 +25,7 @@
#
# Local policy
@@ -25190,9 +25276,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.10/policy/modules/services/snort.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.11/policy/modules/services/snort.te
--- nsaserefpolicy/policy/modules/services/snort.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/snort.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/snort.te 2010-03-03 23:48:01.000000000 -0500
@@ -37,6 +37,7 @@
allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
@@ -25226,9 +25312,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor
domain_use_interactive_fds(snort_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.10/policy/modules/services/spamassassin.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.11/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/spamassassin.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/spamassassin.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,15 +1,26 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -25258,9 +25344,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.10/policy/modules/services/spamassassin.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.11/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/spamassassin.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/spamassassin.if 2010-03-03 23:48:01.000000000 -0500
@@ -111,6 +111,45 @@
')
@@ -25387,9 +25473,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+ files_list_pids($1)
+ admin_pattern($1, spamd_var_run_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.10/policy/modules/services/spamassassin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.11/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/spamassassin.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/spamassassin.te 2010-03-03 23:48:01.000000000 -0500
@@ -20,6 +20,35 @@
##
gen_tunable(spamd_enable_home_dirs, true)
@@ -25695,9 +25781,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+optional_policy(`
udev_read_db(spamd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.10/policy/modules/services/squid.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.11/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/squid.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/squid.te 2010-03-03 23:48:01.000000000 -0500
@@ -67,7 +67,9 @@
can_exec(squid_t, squid_exec_t)
@@ -25726,18 +25812,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
-#squid requires the following when run in diskd mode, the recommended setting
-allow squid_t tmpfs_t:file { read write };
-') dnl end TODO
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.10/policy/modules/services/ssh.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.11/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/ssh.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ssh.fc 2010-03-03 23:48:01.000000000 -0500
@@ -14,3 +14,5 @@
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.10/policy/modules/services/ssh.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.11/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/ssh.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ssh.if 2010-03-03 23:48:01.000000000 -0500
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -25905,9 +25991,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
#######################################
##
## Delete from the ssh temp files.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.10/policy/modules/services/ssh.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.11/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/ssh.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ssh.te 2010-03-03 23:48:01.000000000 -0500
@@ -114,6 +114,7 @@
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@@ -26040,9 +26126,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.10/policy/modules/services/sssd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.11/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/sssd.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/sssd.fc 2010-03-03 23:48:01.000000000 -0500
@@ -4,6 +4,8 @@
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
@@ -26052,9 +26138,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.10/policy/modules/services/sssd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.11/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/sssd.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/sssd.if 2010-03-03 23:48:01.000000000 -0500
@@ -38,6 +38,25 @@
########################################
@@ -26133,9 +26219,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
+
+ admin_pattern($1, sssd_public_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.10/policy/modules/services/sssd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.11/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/sssd.te 2010-02-25 18:53:37.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/sssd.te 2010-03-03 23:48:01.000000000 -0500
@@ -13,6 +13,9 @@
type sssd_initrc_exec_t;
init_script_file(sssd_initrc_exec_t)
@@ -26190,9 +26276,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.10/policy/modules/services/sysstat.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.11/policy/modules/services/sysstat.te
--- nsaserefpolicy/policy/modules/services/sysstat.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/sysstat.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/sysstat.te 2010-03-03 23:48:01.000000000 -0500
@@ -19,14 +19,15 @@
# Local policy
#
@@ -26211,9 +26297,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
# get info from /proc
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.7.10/policy/modules/services/telnet.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.7.11/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/telnet.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/telnet.te 2010-03-03 23:48:01.000000000 -0500
@@ -85,6 +85,7 @@
remotelogin_domtrans(telnetd_t)
@@ -26222,9 +26308,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
optional_policy(`
kerberos_keytab_template(telnetd, telnetd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.7.10/policy/modules/services/tftp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.7.11/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/tftp.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/tftp.te 2010-03-03 23:48:01.000000000 -0500
@@ -50,9 +50,8 @@
manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t)
files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
@@ -26236,9 +26322,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
corenet_all_recvfrom_unlabeled(tftpd_t)
corenet_all_recvfrom_netlabel(tftpd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.7.10/policy/modules/services/tgtd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.7.11/policy/modules/services/tgtd.if
--- nsaserefpolicy/policy/modules/services/tgtd.if 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/tgtd.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/tgtd.if 2010-03-03 23:48:01.000000000 -0500
@@ -9,3 +9,20 @@
##
##
@@ -26260,9 +26346,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
+
+ allow $1 tgtd_t:sem { rw_sem_perms };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.10/policy/modules/services/tgtd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.11/policy/modules/services/tgtd.te
--- nsaserefpolicy/policy/modules/services/tgtd.te 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/tgtd.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/tgtd.te 2010-03-03 23:48:01.000000000 -0500
@@ -60,7 +60,7 @@
files_read_etc_files(tgtd_t)
@@ -26272,9 +26358,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
logging_send_syslog_msg(tgtd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.10/policy/modules/services/tor.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.11/policy/modules/services/tor.te
--- nsaserefpolicy/policy/modules/services/tor.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/tor.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/tor.te 2010-03-03 23:48:01.000000000 -0500
@@ -6,6 +6,14 @@
# Declarations
#
@@ -26306,9 +26392,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.
+tunable_policy(`tor_bind_all_unreserved_ports', `
+ corenet_tcp_bind_all_unreserved_ports(tor_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.7.10/policy/modules/services/tuned.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.7.11/policy/modules/services/tuned.fc
--- nsaserefpolicy/policy/modules/services/tuned.fc 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/tuned.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/tuned.fc 2010-03-03 23:48:01.000000000 -0500
@@ -2,4 +2,7 @@
/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
@@ -26317,9 +26403,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune
+/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0)
+
/var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.10/policy/modules/services/tuned.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.11/policy/modules/services/tuned.te
--- nsaserefpolicy/policy/modules/services/tuned.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/tuned.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/tuned.te 2010-03-03 23:48:01.000000000 -0500
@@ -13,6 +13,9 @@
type tuned_initrc_exec_t;
init_script_file(tuned_initrc_exec_t)
@@ -26373,9 +26459,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune
# to allow network interface tuning
optional_policy(`
sysnet_domtrans_ifconfig(tuned_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.10/policy/modules/services/ucspitcp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.11/policy/modules/services/ucspitcp.te
--- nsaserefpolicy/policy/modules/services/ucspitcp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/ucspitcp.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/ucspitcp.te 2010-03-03 23:48:01.000000000 -0500
@@ -92,3 +92,8 @@
daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
daemontools_read_svc(ucspitcp_t)
@@ -26385,17 +26471,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp
+ daemontools_sigchld_run(ucspitcp_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.10/policy/modules/services/usbmuxd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.11/policy/modules/services/usbmuxd.fc
--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/usbmuxd.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/usbmuxd.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
+
+/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.10/policy/modules/services/usbmuxd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.11/policy/modules/services/usbmuxd.if
--- nsaserefpolicy/policy/modules/services/usbmuxd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/usbmuxd.if 2010-02-28 07:25:11.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/usbmuxd.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,39 @@
+## Daemon for communicating with Apple's iPod Touch and iPhone
+
@@ -26436,10 +26522,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
+ files_search_pids($1)
+ stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.10/policy/modules/services/usbmuxd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.11/policy/modules/services/usbmuxd.te
--- nsaserefpolicy/policy/modules/services/usbmuxd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/usbmuxd.te 2010-02-23 15:54:38.000000000 -0500
-@@ -0,0 +1,47 @@
++++ serefpolicy-3.7.11/policy/modules/services/usbmuxd.te 2010-03-03 23:48:01.000000000 -0500
+@@ -0,0 +1,48 @@
+policy_module(usbmuxd,1.0.0)
+
+########################################
@@ -26450,6 +26536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
+type usbmuxd_t;
+type usbmuxd_exec_t;
+application_domain(usbmuxd_t, usbmuxd_exec_t)
++role system_r types usbmuxd_t;
+
+type usbmuxd_var_run_t;
+files_pid_file(usbmuxd_var_run_t)
@@ -26487,9 +26574,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
+auth_use_nsswitch(usbmuxd_t)
+
+logging_send_syslog_msg(usbmuxd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.10/policy/modules/services/uucp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.11/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/uucp.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/uucp.te 2010-03-03 23:48:01.000000000 -0500
@@ -90,6 +90,7 @@
fs_getattr_xattr_fs(uucpd_t)
@@ -26507,9 +26594,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp
optional_policy(`
cron_system_entry(uucpd_t, uucpd_exec_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.10/policy/modules/services/vhostmd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.11/policy/modules/services/vhostmd.fc
--- nsaserefpolicy/policy/modules/services/vhostmd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/vhostmd.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/vhostmd.fc 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,6 @@
+
+/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0)
@@ -26517,9 +26604,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
+/etc/rc.d/init.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0)
+/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.10/policy/modules/services/vhostmd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.11/policy/modules/services/vhostmd.if
--- nsaserefpolicy/policy/modules/services/vhostmd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/vhostmd.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/vhostmd.if 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,228 @@
+
+## policy for vhostmd
@@ -26749,9 +26836,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
+ vhostmd_manage_var_run($1)
+
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.10/policy/modules/services/vhostmd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.11/policy/modules/services/vhostmd.te
--- nsaserefpolicy/policy/modules/services/vhostmd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/vhostmd.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/vhostmd.te 2010-03-03 23:48:01.000000000 -0500
@@ -0,0 +1,84 @@
+
+policy_module(vhostmd,1.0.0)
@@ -26837,9 +26924,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
+ xen_stream_connect_xenstore(vhostmd_t)
+ xen_stream_connect_xm(vhostmd_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.10/policy/modules/services/virt.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.11/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/virt.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/virt.fc 2010-03-03 23:48:01.000000000 -0500
@@ -8,6 +8,10 @@
/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
@@ -26851,19 +26938,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.10/policy/modules/services/virt.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.11/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/virt.if 2010-02-26 11:14:28.000000000 -0500
-@@ -22,6 +22,8 @@
++++ serefpolicy-3.7.11/policy/modules/services/virt.if 2010-03-04 08:13:56.000000000 -0500
+@@ -22,6 +22,11 @@
domain_type($1_t)
role system_r types $1_t;
++ type $1_devpts_t;
++ term_pty($1_devpts_t)
++
+ domain_user_exemption_target($1_t)
+
type $1_tmp_t;
files_tmp_file($1_tmp_t)
-@@ -62,6 +64,9 @@
+@@ -35,6 +40,9 @@
+ type $1_var_run_t;
+ files_pid_file($1_var_run_t)
+
++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
++ term_create_pty($1_t, $1_devpts_t)
++
+ manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
+ manage_files_pattern($1_t, $1_image_t, $1_image_t)
+ read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
+@@ -62,6 +70,9 @@
files_pid_filetrans($1_t, $1_var_run_t, { dir file })
stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t)
@@ -26873,7 +26973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -293,6 +298,7 @@
+@@ -293,6 +304,7 @@
files_search_var_lib($1)
read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
@@ -26881,7 +26981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -505,3 +511,32 @@
+@@ -505,3 +517,32 @@
virt_manage_log($1)
')
@@ -26914,9 +27014,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+ ptchown_run(svirt_t, $2)
+ ')
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.10/policy/modules/services/virt.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.11/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/virt.te 2010-03-01 09:05:11.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/virt.te 2010-03-03 23:48:01.000000000 -0500
@@ -15,6 +15,13 @@
##
@@ -27107,9 +27207,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
auth_use_nsswitch(virt_domain)
logging_send_syslog_msg(virt_domain)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.10/policy/modules/services/w3c.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.11/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/w3c.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/w3c.te 2010-03-03 23:48:01.000000000 -0500
@@ -8,11 +8,18 @@
apache_content_template(w3c_validator)
@@ -27129,9 +27229,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.10/policy/modules/services/xserver.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.11/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/xserver.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/xserver.fc 2010-03-03 23:48:01.000000000 -0500
@@ -3,12 +3,21 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -27239,9 +27339,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.10/policy/modules/services/xserver.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.11/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/xserver.if 2010-02-26 14:29:51.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/xserver.if 2010-03-04 09:34:53.000000000 -0500
@@ -19,7 +19,7 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -27268,21 +27368,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_search_tmp($2)
# Communicate via System V shared memory.
-@@ -56,6 +57,13 @@
+@@ -56,6 +57,10 @@
domtrans_pattern($2, iceauth_exec_t, iceauth_t)
+ifdef(`hide_broken_symptoms', `
-+ dontaudit iceauth_t $2:unix_stream_socket rw_socket_perms;
-+ dontaudit iceauth_t $2:tcp_socket rw_socket_perms;
-+ dontaudit iceauth_t $2:udp_socket rw_socket_perms;
-+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
++ dontaudit iceauth_t $2:socket_class_set { read write };
+')
+
allow $2 iceauth_home_t:file read_file_perms;
domtrans_pattern($2, xauth_exec_t, xauth_t)
-@@ -71,9 +79,10 @@
+@@ -71,9 +76,10 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
allow $2 xdm_t:fifo_file { getattr read write ioctl };
@@ -27294,7 +27391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Client read xserver shm
allow $2 xserver_t:fd use;
-@@ -94,9 +103,9 @@
+@@ -94,9 +100,9 @@
dev_rw_usbfs($2)
miscfiles_read_fonts($2)
@@ -27305,7 +27402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -197,7 +206,7 @@
+@@ -197,7 +203,7 @@
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -27314,7 +27411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -291,12 +300,12 @@
+@@ -291,12 +297,12 @@
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -27330,7 +27427,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow $1 xdm_tmp_t:dir search;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -476,6 +485,7 @@
+@@ -355,6 +361,11 @@
+ class x_property all_x_property_perms;
+ class x_event all_x_event_perms;
+ class x_synthetic_event all_x_synthetic_event_perms;
++ class x_client destroy;
++ class x_server manage;
++ class x_pointer manage;
++ class x_keyboard { read manage };
++ type xdm_t, xserver_t;
+ ')
+
+ ##############################
+@@ -386,6 +397,14 @@
+ allow $2 xevent_t:{ x_event x_synthetic_event } receive;
+ # dont audit send failures
+ dontaudit $2 input_xevent_type:x_event send;
++
++ allow $2 xdm_t:x_drawable { read add_child };
++ allow $2 xdm_t:x_client destroy;
++
++ allow $2 root_xdrawable_t:x_drawable write;
++ allow $2 xserver_t:x_server manage;
++ allow $2 xserver_t:x_pointer manage;
++ allow $2 xserver_t:x_keyboard { read manage };
+ ')
+
+ #######################################
+@@ -476,6 +495,7 @@
xserver_use_user_fonts($2)
xserver_read_xdm_tmp_files($2)
@@ -27338,18 +27462,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# X object manager
xserver_object_types_template($1)
-@@ -545,6 +555,10 @@
+@@ -545,6 +565,9 @@
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
+ifdef(`hide_broken_symptoms', `
+ dontaudit xauth_t $1:socket_class_set { read write };
-+ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
+')
')
########################################
-@@ -598,6 +612,7 @@
+@@ -598,6 +621,7 @@
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -27357,7 +27480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -805,7 +820,7 @@
+@@ -805,7 +829,7 @@
')
files_search_pids($1)
@@ -27366,7 +27489,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1250,3 +1265,329 @@
+@@ -1224,9 +1248,20 @@
+ class x_device all_x_device_perms;
+ class x_pointer all_x_pointer_perms;
+ class x_keyboard all_x_keyboard_perms;
++ class x_screen all_x_screen_perms;
++ class x_drawable { manage };
++ type root_xdrawable_t;
++ attribute x_domain;
++ class x_drawable { read manage setattr show };
++ class x_resource { write read };
+ ')
+
+ allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
++ allow $1 xserver_t:{ x_screen } setattr;
++
++ allow $1 x_domain:x_drawable { read manage setattr show };
++ allow $1 x_domain:x_resource { write read };
++ allow $1 root_xdrawable_t:x_drawable manage;
+ ')
+
+ ########################################
+@@ -1250,3 +1285,329 @@
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -27696,9 +27840,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.10/policy/modules/services/xserver.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.11/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/xserver.te 2010-02-24 16:38:32.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/xserver.te 2010-03-04 10:56:15.000000000 -0500
@@ -36,6 +36,13 @@
##
@@ -27862,7 +28006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -250,30 +283,57 @@
+@@ -250,30 +283,58 @@
fs_manage_cifs_files(iceauth_t)
')
@@ -27871,6 +28015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ dev_dontaudit_rw_dri(iceauth_t)
+ dev_dontaudit_rw_generic_dev_nodes(iceauth_t)
+ fs_list_inotifyfs(iceauth_t)
++ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
+ term_dontaudit_use_unallocated_ttys(iceauth_t)
+
+ optional_policy(`
@@ -27923,13 +28068,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
fs_search_auto_mountpoints(xauth_t)
# cjp: why?
-@@ -283,17 +343,35 @@
+@@ -283,17 +344,36 @@
userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
+userdom_read_all_users_state(xauth_t)
+
+ifdef(`hide_broken_symptoms', `
++ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
+ userdom_manage_user_home_content_files(xauth_t)
+ userdom_manage_user_tmp_files(xauth_t)
+ dev_dontaudit_rw_generic_dev_nodes(xauth_t)
@@ -27959,7 +28105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -305,20 +383,31 @@
+@@ -305,20 +385,31 @@
# XDM Local policy
#
@@ -27994,7 +28140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -334,24 +423,42 @@
+@@ -334,24 +425,42 @@
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
@@ -28041,7 +28187,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -363,6 +470,7 @@
+@@ -359,10 +468,13 @@
+
+ # transition to the xdm xserver
+ domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
++
++ps_process_pattern(xserver_t, xdm_t)
+ allow xserver_t xdm_t:process signal;
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xserver_t:shm rw_shm_perms;
@@ -28049,7 +28201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,10 +479,14 @@
+@@ -371,10 +483,14 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -28065,7 +28217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
-@@ -394,11 +506,13 @@
+@@ -394,11 +510,13 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -28079,7 +28231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +520,7 @@
+@@ -406,6 +524,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -28087,7 +28239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -414,18 +529,21 @@
+@@ -414,18 +533,21 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -28112,7 +28264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -436,9 +554,15 @@
+@@ -436,9 +558,15 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -28128,7 +28280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,14 +571,18 @@
+@@ -447,14 +575,18 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -28147,7 +28299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +593,12 @@
+@@ -465,10 +597,12 @@
logging_read_generic_logs(xdm_t)
@@ -28162,7 +28314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +607,11 @@
+@@ -477,6 +611,11 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -28174,7 +28326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -509,10 +644,12 @@
+@@ -509,10 +648,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -28187,7 +28339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +657,49 @@
+@@ -520,12 +661,49 @@
')
optional_policy(`
@@ -28237,7 +28389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,9 +717,43 @@
+@@ -543,9 +721,43 @@
')
optional_policy(`
@@ -28281,7 +28433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
seutil_sigchld_newrole(xdm_t)
')
-@@ -555,8 +763,9 @@
+@@ -555,8 +767,9 @@
')
optional_policy(`
@@ -28293,7 +28445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +774,6 @@
+@@ -565,7 +778,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -28301,7 +28453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +784,10 @@
+@@ -576,6 +788,10 @@
')
optional_policy(`
@@ -28312,7 +28464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +812,9 @@
+@@ -600,10 +816,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -28324,7 +28476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +826,18 @@
+@@ -615,6 +830,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -28343,7 +28495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +857,19 @@
+@@ -634,12 +861,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -28365,7 +28517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +903,6 @@
+@@ -673,7 +907,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -28373,7 +28525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +912,12 @@
+@@ -683,9 +916,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -28387,7 +28539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +932,12 @@
+@@ -700,8 +936,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -28397,10 +28549,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+mls_process_write_to_clearance(xserver_t)
+mls_file_read_to_clearance(xserver_t)
+mls_file_write_all_levels(xserver_t)
++mls_file_upgrade(xserver_t)
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,6 +959,7 @@
+@@ -723,11 +964,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -28408,7 +28561,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
modutils_domtrans_insmod(xserver_t)
-@@ -779,12 +1016,20 @@
+ # read x_contexts
+ seutil_read_default_contexts(xserver_t)
++seutil_read_config(xserver_t)
++seutil_read_file_contexts(xserver_t)
+
+ userdom_search_user_home_dirs(xserver_t)
+ userdom_use_user_ttys(xserver_t)
+@@ -779,12 +1023,20 @@
')
optional_policy(`
@@ -28430,7 +28590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1056,7 @@
+@@ -811,7 +1063,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -28439,7 +28599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1077,14 @@
+@@ -832,9 +1084,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -28454,7 +28614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1099,14 @@
+@@ -849,11 +1106,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -28471,7 +28631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -999,3 +1252,33 @@
+@@ -999,3 +1259,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -28505,9 +28665,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+tunable_policy(`use_samba_home_dirs',`
+ fs_append_cifs_files(xdmhomewriter)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.10/policy/modules/services/zebra.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.11/policy/modules/services/zebra.if
--- nsaserefpolicy/policy/modules/services/zebra.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/zebra.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/services/zebra.if 2010-03-03 23:48:01.000000000 -0500
@@ -24,6 +24,26 @@
########################################
@@ -28535,9 +28695,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
## All of the rules required to administrate
## an zebra environment
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.10/policy/modules/system/application.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.11/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/application.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/application.te 2010-03-03 23:48:01.000000000 -0500
@@ -7,6 +7,17 @@
# Executables to be run by user
attribute application_exec_type;
@@ -28556,9 +28716,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
optional_policy(`
ssh_sigchld(application_domain_type)
ssh_rw_stream_sockets(application_domain_type)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.10/policy/modules/system/authlogin.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.11/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/system/authlogin.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/authlogin.fc 2010-03-03 23:48:01.000000000 -0500
@@ -7,12 +7,10 @@
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
@@ -28573,20 +28733,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
ifdef(`distro_suse', `
-@@ -42,6 +40,9 @@
+@@ -42,6 +40,8 @@
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
-
/var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
++/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
-+
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
-+/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.10/policy/modules/system/authlogin.if
---- nsaserefpolicy/policy/modules/system/authlogin.if 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/authlogin.if 2010-02-23 15:54:38.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.11/policy/modules/system/authlogin.if
+--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-03-03 23:26:37.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/authlogin.if 2010-03-03 23:48:01.000000000 -0500
@@ -40,17 +40,76 @@
##
##
@@ -28754,17 +28913,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
- sysnet_dns_name_resolve($1)
- sysnet_use_ldap($1)
-
-- optional_policy(`
-- kerberos_use($1)
-- ')
--
optional_policy(`
-- nis_use_ypbind($1)
+- kerberos_use($1)
+ kerberos_read_keytab($1)
+ kerberos_connect_524($1)
')
optional_policy(`
+- nis_use_ypbind($1)
+- ')
+-
+- optional_policy(`
- pcscd_read_pub_files($1)
+ pcscd_manage_pub_files($1)
+ pcscd_manage_pub_pipes($1)
@@ -28867,7 +29026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Do not audit attempts to write to
## login records files.
##
-@@ -1378,6 +1521,8 @@
+@@ -1388,6 +1531,8 @@
#
interface(`auth_use_nsswitch',`
@@ -28876,7 +29035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1393,16 +1538,33 @@
+@@ -1403,16 +1548,33 @@
')
optional_policy(`
@@ -28911,9 +29070,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.10/policy/modules/system/authlogin.te
---- nsaserefpolicy/policy/modules/system/authlogin.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/authlogin.te 2010-02-25 18:15:10.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.11/policy/modules/system/authlogin.te
+--- nsaserefpolicy/policy/modules/system/authlogin.te 2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/authlogin.te 2010-03-03 23:48:01.000000000 -0500
@@ -103,8 +103,10 @@
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
@@ -28944,9 +29103,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
########################################
#
# PAM local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.10/policy/modules/system/daemontools.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.11/policy/modules/system/daemontools.if
--- nsaserefpolicy/policy/modules/system/daemontools.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/system/daemontools.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/daemontools.if 2010-03-03 23:48:01.000000000 -0500
@@ -71,6 +71,32 @@
domtrans_pattern($1, svc_start_exec_t, svc_start_t)
')
@@ -29027,9 +29186,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon
+
+ allow $1 svc_run_t:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.10/policy/modules/system/daemontools.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.11/policy/modules/system/daemontools.te
--- nsaserefpolicy/policy/modules/system/daemontools.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/system/daemontools.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/daemontools.te 2010-03-03 23:48:01.000000000 -0500
@@ -39,7 +39,10 @@
# multilog creates /service/*/log/status
manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
@@ -29102,9 +29261,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon
+
daemontools_domtrans_run(svc_start_t)
daemontools_manage_svc(svc_start_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.10/policy/modules/system/fstools.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.11/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/fstools.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/fstools.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,4 +1,3 @@
-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -29130,9 +29289,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
/usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.10/policy/modules/system/fstools.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.11/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/fstools.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/fstools.te 2010-03-03 23:48:01.000000000 -0500
@@ -118,6 +118,8 @@
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
@@ -29152,9 +29311,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
ifdef(`distro_redhat',`
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.10/policy/modules/system/getty.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.11/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/getty.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/getty.te 2010-03-03 23:48:01.000000000 -0500
@@ -56,11 +56,10 @@
manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t)
files_pid_filetrans(getty_t, getty_var_run_t, file)
@@ -29170,9 +29329,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.
dev_read_sysfs(getty_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.10/policy/modules/system/hostname.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.11/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/hostname.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/hostname.te 2010-03-03 23:48:01.000000000 -0500
@@ -27,15 +27,18 @@
dev_read_sysfs(hostname_t)
@@ -29192,23 +29351,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
term_dontaudit_use_console(hostname_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.7.10/policy/modules/system/hotplug.te
---- nsaserefpolicy/policy/modules/system/hotplug.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/system/hotplug.te 2010-02-23 15:54:38.000000000 -0500
-@@ -125,6 +125,10 @@
- ')
-
- optional_policy(`
-+ brctl_domtrans(hotplug_t)
-+')
-+
-+optional_policy(`
- consoletype_exec(hotplug_t)
- ')
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.10/policy/modules/system/init.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.11/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/system/init.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/init.fc 2010-03-03 23:48:01.000000000 -0500
@@ -4,10 +4,10 @@
/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -29232,10 +29377,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
#
# /var
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.10/policy/modules/system/init.if
---- nsaserefpolicy/policy/modules/system/init.if 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/init.if 2010-02-23 15:54:38.000000000 -0500
-@@ -162,8 +162,10 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.11/policy/modules/system/init.if
+--- nsaserefpolicy/policy/modules/system/init.if 2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/init.if 2010-03-03 23:48:01.000000000 -0500
+@@ -193,8 +193,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
type initrc_t;
@@ -29246,7 +29391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
typeattribute $1 daemon;
-@@ -174,6 +176,15 @@
+@@ -205,6 +207,15 @@
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
@@ -29262,7 +29407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
# daemons started from init will
# inherit fds from init for the console
-@@ -233,7 +244,7 @@
+@@ -285,7 +296,7 @@
type initrc_t;
')
@@ -29271,7 +29416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
-@@ -265,6 +276,7 @@
+@@ -338,6 +349,7 @@
gen_require(`
type initrc_t;
role system_r;
@@ -29279,7 +29424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
application_domain($1,$2)
-@@ -272,6 +284,9 @@
+@@ -345,6 +357,9 @@
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
@@ -29289,7 +29434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -280,6 +295,36 @@
+@@ -353,6 +368,36 @@
kernel_dontaudit_use_fds($1)
')
')
@@ -29326,7 +29471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -546,7 +591,8 @@
+@@ -681,7 +726,8 @@
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
@@ -29336,7 +29481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -619,18 +665,19 @@
+@@ -754,18 +800,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -29360,7 +29505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -646,19 +693,39 @@
+@@ -781,19 +828,39 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -29404,7 +29549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -714,8 +781,10 @@
+@@ -849,8 +916,10 @@
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -29415,7 +29560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -923,6 +992,24 @@
+@@ -1058,6 +1127,24 @@
allow $1 init_script_file_type:file read_file_perms;
')
@@ -29440,7 +29585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
########################################
##
## Execute all init scripts in the caller domain.
-@@ -1142,7 +1229,7 @@
+@@ -1277,7 +1364,7 @@
type initrc_t;
')
@@ -29449,7 +29594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -1310,6 +1397,25 @@
+@@ -1445,6 +1532,25 @@
########################################
##
@@ -29475,7 +29620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
## Create files in a init script
## temporary data directory.
##
-@@ -1465,7 +1571,7 @@
+@@ -1600,7 +1706,7 @@
type initrc_var_run_t;
')
@@ -29484,7 +29629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -1540,3 +1646,76 @@
+@@ -1675,3 +1781,76 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -29561,9 +29706,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+ init_dontaudit_use_script_fds($1)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.10/policy/modules/system/init.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.11/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/init.te 2010-02-25 16:45:03.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/init.te 2010-03-03 23:48:01.000000000 -0500
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart, false)
@@ -30134,11 +30279,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -793,3 +958,31 @@
+@@ -793,3 +958,34 @@
optional_policy(`
zebra_read_config(initrc_t)
')
+
++# if I start an initrc script from an random director I can generate this avc
++files_dontaudit_search_all_dirs(daemon)
++
+userdom_inherit_append_user_home_content_files(daemon)
+userdom_inherit_append_user_tmp_files(daemon)
+userdom_dontaudit_rw_stream(daemon)
@@ -30166,9 +30314,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+optional_policy(`
+ fail2ban_read_lib_files(daemon)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.10/policy/modules/system/ipsec.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.11/policy/modules/system/ipsec.fc
--- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/ipsec.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/ipsec.fc 2010-03-03 23:48:01.000000000 -0500
@@ -37,6 +37,8 @@
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
@@ -30179,9 +30327,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
+/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
-/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.10/policy/modules/system/ipsec.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.11/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/ipsec.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/ipsec.if 2010-03-03 23:48:01.000000000 -0500
@@ -39,6 +39,25 @@
########################################
@@ -30208,9 +30356,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
## Get the attributes of an IPSEC key socket.
##
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.10/policy/modules/system/ipsec.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.11/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/ipsec.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/ipsec.te 2010-03-03 23:48:01.000000000 -0500
@@ -29,9 +29,15 @@
type ipsec_key_file_t;
files_type(ipsec_key_file_t)
@@ -30348,9 +30496,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
userdom_use_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.10/policy/modules/system/iptables.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.11/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2010-02-12 16:41:05.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/iptables.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/iptables.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,6 +1,4 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -30358,9 +30506,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.10/policy/modules/system/iptables.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.11/policy/modules/system/iptables.if
--- nsaserefpolicy/policy/modules/system/iptables.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/iptables.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/iptables.if 2010-03-03 23:48:01.000000000 -0500
@@ -17,6 +17,10 @@
corecmd_search_bin($1)
@@ -30372,9 +30520,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.10/policy/modules/system/iptables.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.11/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/iptables.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/iptables.te 2010-03-03 23:48:01.000000000 -0500
@@ -14,9 +14,6 @@
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -30448,9 +30596,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
udev_read_db(iptables_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.7.10/policy/modules/system/iscsi.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.7.11/policy/modules/system/iscsi.fc
--- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/system/iscsi.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/iscsi.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,5 +1,9 @@
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
@@ -30461,9 +30609,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
+/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
+
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.10/policy/modules/system/iscsi.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.11/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/iscsi.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/iscsi.te 2010-03-03 23:48:01.000000000 -0500
@@ -14,6 +14,9 @@
type iscsi_lock_t;
files_lock_file(iscsi_lock_t)
@@ -30499,15 +30647,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
-@@ -54,6 +63,7 @@
+@@ -54,8 +63,8 @@
manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+kernel_read_network_state(iscsid_t)
kernel_read_system_state(iscsid_t)
- kernel_search_debugfs(iscsid_t)
+-kernel_search_debugfs(iscsid_t)
-@@ -67,13 +77,21 @@
+ corenet_all_recvfrom_unlabeled(iscsid_t)
+ corenet_all_recvfrom_netlabel(iscsid_t)
+@@ -67,13 +76,21 @@
corenet_tcp_connect_isns_port(iscsid_t)
dev_rw_sysfs(iscsid_t)
@@ -30529,9 +30679,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
+optional_policy(`
+ tgtd_rw_semaphores(iscsid_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.10/policy/modules/system/libraries.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.11/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/system/libraries.fc 2010-03-01 10:44:28.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/libraries.fc 2010-03-03 23:48:01.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -30892,9 +31042,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.10/policy/modules/system/libraries.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.11/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/system/libraries.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/libraries.if 2010-03-03 23:48:01.000000000 -0500
@@ -17,6 +17,7 @@
corecmd_search_bin($1)
@@ -30921,9 +31071,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
allow $1 lib_t:dir list_dir_perms;
read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.10/policy/modules/system/libraries.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.11/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/libraries.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/libraries.te 2010-03-03 23:48:01.000000000 -0500
@@ -58,11 +58,11 @@
# ldconfig local policy
#
@@ -30996,9 +31146,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+optional_policy(`
+ unconfined_domain(ldconfig_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.10/policy/modules/system/locallogin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.11/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/locallogin.te 2010-02-25 18:19:19.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/locallogin.te 2010-03-03 23:48:01.000000000 -0500
@@ -33,9 +33,8 @@
# Local login local policy
#
@@ -31099,9 +31249,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
-optional_policy(`
- nscd_socket_use(sulogin_t)
-')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.10/policy/modules/system/logging.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.11/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/system/logging.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/logging.fc 2010-03-03 23:48:01.000000000 -0500
@@ -17,6 +17,10 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
@@ -31141,10 +31291,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.10/policy/modules/system/logging.if
---- nsaserefpolicy/policy/modules/system/logging.if 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/logging.if 2010-02-23 15:54:38.000000000 -0500
-@@ -69,6 +69,20 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.11/policy/modules/system/logging.if
+--- nsaserefpolicy/policy/modules/system/logging.if 2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/logging.if 2010-03-03 23:48:01.000000000 -0500
+@@ -96,6 +96,20 @@
########################################
##
@@ -31165,15 +31315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
## Set up audit
##
##
-@@ -450,7 +464,6 @@
- # If syslog is down, the glibc syslog() function
- # will write to the console.
- term_write_console($1)
-- term_dontaudit_read_console($1)
- ')
-
- ########################################
-@@ -625,7 +638,25 @@
+@@ -701,7 +715,25 @@
')
files_search_var($1)
@@ -31200,7 +31342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -708,7 +739,9 @@
+@@ -784,7 +816,9 @@
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@@ -31211,9 +31353,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.10/policy/modules/system/logging.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.11/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/logging.te 2010-02-25 18:10:25.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/logging.te 2010-03-03 23:48:01.000000000 -0500
@@ -101,6 +101,7 @@
kernel_read_kernel_sysctls(auditctl_t)
@@ -31356,9 +31498,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
udev_read_db(syslogd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.10/policy/modules/system/lvm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.11/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/system/lvm.fc 2010-02-25 18:42:51.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/lvm.fc 2010-03-03 23:48:01.000000000 -0500
@@ -28,6 +28,7 @@
#
/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -31367,9 +31509,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
#
# /sbin
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.10/policy/modules/system/lvm.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.11/policy/modules/system/lvm.if
--- nsaserefpolicy/policy/modules/system/lvm.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/lvm.if 2010-02-26 08:35:35.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/lvm.if 2010-03-03 23:48:01.000000000 -0500
@@ -34,7 +34,7 @@
type lvm_exec_t;
')
@@ -31379,9 +31521,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if
can_exec($1, lvm_exec_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.10/policy/modules/system/lvm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.11/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/lvm.te 2010-02-26 08:56:01.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/lvm.te 2010-03-03 23:48:01.000000000 -0500
@@ -142,6 +142,11 @@
')
@@ -31430,9 +31572,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
bootloader_rw_tmp_files(lvm_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.10/policy/modules/system/miscfiles.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.11/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/miscfiles.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/miscfiles.fc 2010-03-03 23:48:01.000000000 -0500
@@ -42,6 +42,7 @@
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -31459,9 +31601,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
ifdef(`distro_debian',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.10/policy/modules/system/miscfiles.if
---- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/miscfiles.if 2010-02-23 15:54:38.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.11/policy/modules/system/miscfiles.if
+--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/miscfiles.if 2010-03-03 23:48:01.000000000 -0500
@@ -73,7 +73,8 @@
#
interface(`miscfiles_read_fonts',`
@@ -31552,9 +31694,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.7.10/policy/modules/system/miscfiles.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.7.11/policy/modules/system/miscfiles.te
--- nsaserefpolicy/policy/modules/system/miscfiles.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/miscfiles.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/miscfiles.te 2010-03-03 23:48:01.000000000 -0500
@@ -19,6 +19,9 @@
type fonts_t;
files_type(fonts_t)
@@ -31565,9 +31707,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
#
# type for /usr/share/hwdata
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.10/policy/modules/system/modutils.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.11/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/modutils.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/modutils.te 2010-03-03 23:48:01.000000000 -0500
@@ -19,6 +19,7 @@
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
@@ -31673,23 +31815,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.10/policy/modules/system/mount.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.11/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/system/mount.fc 2010-02-23 15:54:38.000000000 -0500
-@@ -1,4 +1,9 @@
++++ serefpolicy-3.7.11/policy/modules/system/mount.fc 2010-03-04 07:59:10.000000000 -0500
+@@ -1,4 +1,10 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
+/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
++/usr/sbin/showmount -- gen_context(system_u:object_r:showmount_exec_t,s0)
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.10/policy/modules/system/mount.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.11/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/system/mount.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/mount.if 2010-03-04 07:59:10.000000000 -0500
@@ -16,6 +16,14 @@
')
@@ -31726,7 +31869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -177,3 +189,57 @@
+@@ -177,3 +189,100 @@
mount_domtrans_unconfined($1)
role $2 types unconfined_mount_t;
')
@@ -31784,9 +31927,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+
+ dontaudit $1 fusermount_exec_t:file exec_file_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.10/policy/modules/system/mount.te
++
++######################################
++##
++## Execute a domain transition to run showmount.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`mount_domtrans_showmount',`
++ gen_require(`
++ type showmount_t, showmount_exec_t;
++ ')
++
++ domtrans_pattern($1, showmount_exec_t, showmount_t)
++')
++
++######################################
++##
++## Execute showmount in the showmount domain, and
++## allow the specified role the showmount domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the showmount domain.
++##
++##
++#
++interface(`mount_run_showmount',`
++ gen_require(`
++ type showmount_t;
++ ')
++
++ mount_domtrans_showmount($1)
++ role $2 types showmount_t;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.11/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/system/mount.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/mount.te 2010-03-04 07:59:10.000000000 -0500
@@ -18,8 +18,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -31803,7 +31989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
-@@ -29,6 +36,10 @@
+@@ -29,6 +36,19 @@
# policy--duplicate type declaration
type unconfined_mount_t;
application_domain(unconfined_mount_t, mount_exec_t)
@@ -31811,10 +31997,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+
+type mount_var_run_t;
+files_pid_file(mount_var_run_t)
++
++# showmount - show mount information for an NFS server
++
++type showmount_t;
++type showmount_exec_t;
++application_domain(showmount_t, showmount_exec_t)
++role system_r types showmount_t;
++
++permissive showmount_t;
########################################
#
-@@ -36,7 +47,11 @@
+@@ -36,7 +56,11 @@
#
# setuid/setgid needed to mount cifs
@@ -31827,7 +32022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -47,21 +62,38 @@
+@@ -47,21 +71,38 @@
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -31867,7 +32062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
files_search_all(mount_t)
files_read_etc_files(mount_t)
-@@ -70,7 +102,7 @@
+@@ -70,7 +111,7 @@
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
@@ -31876,7 +32071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
-@@ -80,15 +112,18 @@
+@@ -80,15 +121,18 @@
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
@@ -31898,7 +32093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
-@@ -99,6 +134,7 @@
+@@ -99,6 +143,7 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -31906,7 +32101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
term_use_all_terms(mount_t)
-@@ -107,6 +143,8 @@
+@@ -107,6 +152,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -31915,7 +32110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
logging_send_syslog_msg(mount_t)
-@@ -117,6 +155,8 @@
+@@ -117,6 +164,8 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -31924,7 +32119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`distro_redhat',`
optional_policy(`
-@@ -132,10 +172,17 @@
+@@ -132,10 +181,17 @@
')
')
@@ -31942,7 +32137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -165,6 +212,8 @@
+@@ -165,6 +221,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -31951,7 +32146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -172,6 +221,25 @@
+@@ -172,6 +230,25 @@
')
optional_policy(`
@@ -31977,7 +32172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -179,6 +247,11 @@
+@@ -179,6 +256,11 @@
')
')
@@ -31989,7 +32184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -186,6 +259,19 @@
+@@ -186,6 +268,19 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -32009,7 +32204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -195,5 +281,10 @@
+@@ -195,5 +290,41 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
@@ -32021,9 +32216,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+ devicekit_dbus_chat_disk(unconfined_mount_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.10/policy/modules/system/raid.te
++######################################
++#
++# showmount local policy
++#
++
++allow showmount_t self:tcp_socket create_stream_socket_perms;
++allow showmount_t self:udp_socket create_socket_perms;
++
++kernel_read_system_state(showmount_t)
++
++corenet_all_recvfrom_unlabeled(showmount_t)
++corenet_all_recvfrom_netlabel(showmount_t)
++corenet_tcp_sendrecv_generic_if(showmount_t)
++corenet_udp_sendrecv_generic_if(showmount_t)
++corenet_tcp_sendrecv_generic_node(showmount_t)
++corenet_udp_sendrecv_generic_node(showmount_t)
++corenet_tcp_sendrecv_all_ports(showmount_t)
++corenet_udp_sendrecv_all_ports(showmount_t)
++corenet_tcp_bind_generic_node(showmount_t)
++corenet_udp_bind_generic_node(showmount_t)
++corenet_tcp_bind_all_rpc_ports(showmount_t)
++corenet_udp_bind_all_rpc_ports(showmount_t)
++corenet_tcp_connect_all_ports(showmount_t)
++
++files_read_etc_files(showmount_t)
++
++miscfiles_read_localization(showmount_t)
++
++sysnet_dns_name_resolve(showmount_t)
++
++userdom_use_user_terminals(showmount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.11/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/raid.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/raid.te 2010-03-03 23:48:01.000000000 -0500
@@ -51,11 +51,13 @@
dev_dontaudit_getattr_generic_chr_files(mdadm_t)
dev_dontaudit_getattr_generic_blk_files(mdadm_t)
@@ -32038,9 +32264,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
fs_search_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.10/policy/modules/system/selinuxutil.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.11/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/system/selinuxutil.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/selinuxutil.fc 2010-03-03 23:48:01.000000000 -0500
@@ -6,13 +6,13 @@
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
@@ -32080,10 +32306,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.10/policy/modules/system/selinuxutil.if
---- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/system/selinuxutil.if 2010-03-01 11:55:49.000000000 -0500
-@@ -351,6 +351,27 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.11/policy/modules/system/selinuxutil.if
+--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-03-03 23:26:37.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/selinuxutil.if 2010-03-03 23:48:01.000000000 -0500
+@@ -361,6 +361,27 @@
########################################
##
@@ -32111,7 +32337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## Execute run_init in the run_init domain.
##
##
-@@ -535,6 +556,53 @@
+@@ -545,6 +566,53 @@
########################################
##
@@ -32165,7 +32391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## Execute setfiles in the caller domain.
##
##
-@@ -680,6 +748,7 @@
+@@ -690,6 +758,7 @@
')
files_search_etc($1)
@@ -32173,7 +32399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
-@@ -999,6 +1068,26 @@
+@@ -1009,6 +1078,26 @@
########################################
##
@@ -32200,7 +32426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1010,7 +1099,7 @@
+@@ -1020,7 +1109,7 @@
##
##
##
@@ -32209,7 +32435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
##
##
##
-@@ -1028,6 +1117,54 @@
+@@ -1038,6 +1127,54 @@
########################################
##
@@ -32264,7 +32490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## Full management of the semanage
## module store.
##
-@@ -1139,3 +1276,194 @@
+@@ -1149,3 +1286,194 @@
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -32459,9 +32685,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+ hotplug_use_fds($1)
+')
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.10/policy/modules/system/selinuxutil.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.11/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/selinuxutil.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/selinuxutil.te 2010-03-03 23:48:01.000000000 -0500
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -32846,9 +33072,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
- hotplug_use_fds(setfiles_t)
+ unconfined_domain(setfiles_mac_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.10/policy/modules/system/sysnetwork.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.11/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/sysnetwork.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/sysnetwork.fc 2010-03-03 23:48:01.000000000 -0500
@@ -13,6 +13,9 @@
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -32882,9 +33108,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.10/policy/modules/system/sysnetwork.if
---- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/sysnetwork.if 2010-02-23 15:54:38.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.11/policy/modules/system/sysnetwork.if
+--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/sysnetwork.if 2010-03-03 23:48:01.000000000 -0500
@@ -43,6 +43,41 @@
sysnet_domtrans_dhcpc($1)
@@ -32954,7 +33180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
#######################################
-@@ -230,7 +283,8 @@
+@@ -251,7 +304,8 @@
')
files_search_etc($1)
@@ -32964,7 +33190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
#######################################
-@@ -323,7 +377,8 @@
+@@ -344,7 +398,8 @@
type net_conf_t;
')
@@ -32974,7 +33200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
#######################################
-@@ -380,6 +435,10 @@
+@@ -401,6 +456,10 @@
corecmd_search_bin($1)
domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
@@ -32985,7 +33211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
########################################
-@@ -464,6 +523,7 @@
+@@ -485,6 +544,7 @@
')
files_search_etc($1)
@@ -32993,7 +33219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
')
-@@ -541,9 +601,9 @@
+@@ -562,9 +622,9 @@
type net_conf_t;
')
@@ -33004,11 +33230,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
corenet_all_recvfrom_unlabeled($1)
corenet_all_recvfrom_netlabel($1)
-@@ -557,7 +617,15 @@
+@@ -577,7 +637,16 @@
+ corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
- files_search_etc($1)
-- allow $1 net_conf_t:file read_file_perms;
+- sysnet_read_config($1)
++ files_search_etc($1)
+ read_files_pattern($1, net_conf_t, net_conf_t)
+
+ optional_policy(`
@@ -33021,19 +33248,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
########################################
-@@ -587,6 +655,8 @@
+@@ -605,7 +674,10 @@
+ corenet_tcp_connect_ldap_port($1)
+ corenet_sendrecv_ldap_client_packets($1)
- files_search_etc($1)
- allow $1 net_conf_t:file read_file_perms;
+- sysnet_read_config($1)
++ files_search_etc($1)
++ allow $1 net_conf_t:file read_file_perms;
+ # LDAP Configuration using encrypted requires
+ dev_read_urand($1)
')
########################################
-@@ -621,3 +691,49 @@
- files_search_etc($1)
- allow $1 net_conf_t:file read_file_perms;
- ')
+@@ -637,5 +709,52 @@
+ corenet_tcp_connect_portmap_port($1)
+ corenet_sendrecv_portmap_client_packets($1)
+
+- sysnet_read_config($1)
++ files_search_etc($1)
++ allow $1 net_conf_t:file read_file_perms;
++')
+
+########################################
+##
@@ -33079,10 +33313,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+ ')
+
+ role_transition $1 dhcpc_exec_t system_r;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.10/policy/modules/system/sysnetwork.te
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.11/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/sysnetwork.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/sysnetwork.te 2010-03-03 23:48:01.000000000 -0500
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t, dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -33230,17 +33464,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
# for /sbin/ip
-@@ -260,7 +276,9 @@
+@@ -260,6 +276,7 @@
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
+kernel_request_load_module(ifconfig_t)
kernel_search_network_sysctl(ifconfig_t)
-+kernel_search_debugfs(ifconfig_t)
kernel_rw_net_sysctls(ifconfig_t)
- corenet_rw_tun_tap_dev(ifconfig_t)
-@@ -269,15 +287,23 @@
+@@ -269,15 +286,23 @@
# for IPSEC setup:
dev_read_urand(ifconfig_t)
@@ -33265,7 +33497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
files_dontaudit_read_root_files(ifconfig_t)
-@@ -294,6 +320,8 @@
+@@ -294,6 +319,8 @@
seutil_use_runinit_fds(ifconfig_t)
@@ -33274,7 +33506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -330,8 +358,22 @@
+@@ -330,8 +357,22 @@
')
optional_policy(`
@@ -33297,10 +33529,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+ hal_dontaudit_rw_pipes(ifconfig_t)
+ hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.10/policy/modules/system/udev.if
---- nsaserefpolicy/policy/modules/system/udev.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/udev.if 2010-02-23 15:54:38.000000000 -0500
-@@ -186,6 +186,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.11/policy/modules/system/udev.if
+--- nsaserefpolicy/policy/modules/system/udev.if 2010-03-03 23:26:37.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/udev.if 2010-03-03 23:48:01.000000000 -0500
+@@ -192,6 +192,7 @@
dev_list_all_dev_nodes($1)
allow $1 udev_tbl_t:file rw_file_perms;
@@ -33308,9 +33540,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.10/policy/modules/system/udev.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.11/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/udev.te 2010-02-25 18:43:22.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/udev.te 2010-03-03 23:48:01.000000000 -0500
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -33370,9 +33602,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
kernel_write_xen_state(udev_t)
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.10/policy/modules/system/unconfined.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.11/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/unconfined.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/unconfined.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,15 +1 @@
# Add programs here which should not be confined by SELinux
-# e.g.:
@@ -33389,9 +33621,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-ifdef(`distro_gentoo',`
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.10/policy/modules/system/unconfined.if
---- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/system/unconfined.if 2010-02-23 15:54:38.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.11/policy/modules/system/unconfined.if
+--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/unconfined.if 2010-03-03 23:48:01.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -33463,7 +33695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -111,16 +123,15 @@
+@@ -122,6 +134,10 @@
##
#
interface(`unconfined_domain',`
@@ -33474,17 +33706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
unconfined_domain_noaudit($1)
tunable_policy(`allow_execheap',`
- auditallow $1 self:process execheap;
- ')
--
--# Turn off this audit for FC5
--# tunable_policy(`allow_execmem',`
--# auditallow $1 self:process execmem;
--# ')
- ')
-
- ########################################
-@@ -173,411 +184,3 @@
+@@ -179,411 +195,3 @@
refpolicywarn(`$0($1) has been deprecated.')
')
@@ -33896,9 +34118,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-
- allow $1 unconfined_t:dbus acquire_svc;
-')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.10/policy/modules/system/unconfined.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.11/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/unconfined.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/unconfined.te 2010-03-03 23:48:01.000000000 -0500
@@ -5,227 +5,5 @@
#
# Declarations
@@ -34128,9 +34350,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
- hal_dbus_chat(unconfined_execmem_t)
- ')
-')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.10/policy/modules/system/userdomain.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.11/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/system/userdomain.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/userdomain.fc 2010-03-03 23:48:01.000000000 -0500
@@ -1,4 +1,11 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
@@ -34144,9 +34366,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs(/.*)? <>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.10/policy/modules/system/userdomain.if
---- nsaserefpolicy/policy/modules/system/userdomain.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/userdomain.if 2010-03-01 10:27:00.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.11/policy/modules/system/userdomain.if
+--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/userdomain.if 2010-03-03 23:48:01.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -35166,7 +35388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_common_user_template($1)
##############################
-@@ -953,54 +1071,71 @@
+@@ -953,54 +1071,73 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -35181,6 +35403,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- files_read_kernel_symbol_table($1_t)
+ storage_rw_fuse($1_t)
+
++ miscfiles_read_hwdata($1_usertype)
++
+ # Allow users to run TCP servers (bind to ports and accept connection from
+ # the same domain and outside users) disabling this forces FTP passive mode
+ # and may change other protocols
@@ -35267,7 +35491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1036,7 +1171,7 @@
+@@ -1036,7 +1173,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -35276,7 +35500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
##############################
-@@ -1045,8 +1180,7 @@
+@@ -1045,8 +1182,7 @@
#
# Inherit rules for ordinary users.
@@ -35286,7 +35510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1071,6 +1205,9 @@
+@@ -1071,6 +1207,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -35296,7 +35520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1085,6 +1222,7 @@
+@@ -1085,6 +1224,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -35304,7 +35528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1092,8 +1230,6 @@
+@@ -1092,8 +1232,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -35313,7 +35537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1120,12 +1256,11 @@
+@@ -1120,12 +1258,11 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
@@ -35328,7 +35552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
term_use_all_terms($1_t)
auth_getattr_shadow($1_t)
-@@ -1148,20 +1283,6 @@
+@@ -1148,20 +1285,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -35349,7 +35573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1207,6 +1328,7 @@
+@@ -1207,6 +1330,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -35357,7 +35581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1272,11 +1394,15 @@
+@@ -1272,11 +1396,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -35373,7 +35597,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1387,12 +1513,13 @@
+@@ -1313,7 +1441,7 @@
+ type user_devpts_t;
+ ')
+
+- allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
++ allow $1 user_devpts_t:chr_file setattr;
+ ')
+
+ ########################################
+@@ -1387,26 +1515,19 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -35383,12 +35616,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
##
--## Search user home directories.
+-## Do not audit attempts to search user home directories.
+## dontaudit Search user home directories.
##
+-##
+-##
+-## Do not audit attempts to search user home directories.
+-## This will supress SELinux denial messages when the specified
+-## domain is denied the permission to search these directories.
+-##
+-##
##
##
-@@ -1425,6 +1552,14 @@
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`userdom_dontaudit_search_user_home_dirs',`
+ gen_require(`
+@@ -1433,6 +1554,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -35403,7 +35651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1440,9 +1575,11 @@
+@@ -1448,9 +1577,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -35415,7 +35663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1499,6 +1636,42 @@
+@@ -1507,6 +1638,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -35458,7 +35706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
##
## Create directories in the home dir root with
-@@ -1573,11 +1746,14 @@
+@@ -1581,11 +1748,14 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -35474,7 +35722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -1585,18 +1761,18 @@
+@@ -1593,18 +1763,18 @@
##
##
#
@@ -35498,7 +35746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -1604,18 +1780,17 @@
+@@ -1612,18 +1782,17 @@
##
##
#
@@ -35521,7 +35769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -1623,12 +1798,12 @@
+@@ -1631,12 +1800,12 @@
##
##
#
@@ -35536,7 +35784,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1684,6 +1859,7 @@
+@@ -1655,7 +1824,7 @@
+ type user_home_t;
+ ')
+
+- dontaudit $1 user_home_t:file setattr_file_perms;
++ dontaudit $1 user_home_t:file setattr;
+ ')
+
+ ########################################
+@@ -1692,6 +1861,7 @@
type user_home_dir_t, user_home_t;
')
@@ -35544,7 +35801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1700,11 +1876,14 @@
+@@ -1708,11 +1878,14 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -35562,7 +35819,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1811,19 +1990,32 @@
+@@ -1730,7 +1903,7 @@
+ type user_home_t;
+ ')
+
+- dontaudit $1 user_home_t:file append_file_perms;
++ dontaudit $1 user_home_t:file append;
+ ')
+
+ ########################################
+@@ -1748,7 +1921,7 @@
+ type user_home_t;
+ ')
+
+- dontaudit $1 user_home_t:file write_file_perms;
++ dontaudit $1 user_home_t:file write;
+ ')
+
+ ########################################
+@@ -1819,19 +1992,32 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -35602,7 +35877,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1858,6 +2050,7 @@
+@@ -1849,7 +2035,7 @@
+ type user_home_t;
+ ')
+
+- dontaudit $1 user_home_t:file exec_file_perms;
++ dontaudit $1 user_home_t:file execute;
+ ')
+
+ ########################################
+@@ -1866,6 +2052,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -35610,11 +35894,64 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2094,6 +2287,25 @@
+@@ -2077,7 +2264,7 @@
+ type user_tmp_t;
+ ')
+
+- allow $1 user_tmp_t:sock_file write_sock_file_perms;
++ allow $1 user_tmp_t:sock_file write;
+ files_search_tmp($1)
+ ')
+
+@@ -2102,7 +2289,7 @@
########################################
##
+-## Do not audit attempts to list user
+## Do not audit attempts to search user
+ ## temporary directories.
+ ##
+ ##
+@@ -2111,17 +2298,17 @@
+ ##
+ ##
+ #
+-interface(`userdom_dontaudit_list_user_tmp',`
++interface(`userdom_dontaudit_search_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tmp_t:dir list_dir_perms;
++ dontaudit $1 user_tmp_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to manage users
++## Do not audit attempts to list user
+ ## temporary directories.
+ ##
+ ##
+@@ -2130,18 +2317,37 @@
+ ##
+ ##
+ #
+-interface(`userdom_dontaudit_manage_user_tmp_dirs',`
++interface(`userdom_dontaudit_list_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tmp_t:dir manage_dir_perms;
++ dontaudit $1 user_tmp_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Read user temporary files.
+-##
++## Do not audit attempts to manage users
+## temporary directories.
+##
+##
@@ -35623,24 +35960,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+##
+##
+#
-+interface(`userdom_dontaudit_search_user_tmp',`
++interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ dontaudit $1 user_tmp_t:dir search_dir_perms;
++ dontaudit $1 user_tmp_t:dir manage_dir_perms;
+')
+
+########################################
+##
- ## Do not audit attempts to list user
- ## temporary directories.
- ##
-@@ -2210,7 +2422,26 @@
++## Read user temporary files.
++##
+ ##
+ ##
+ ## Domain allowed access.
+@@ -2193,7 +2399,7 @@
+ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tmp_t:file append_file_perms;
++ dontaudit $1 user_tmp_t:file append;
+ ')
+
+ ########################################
+@@ -2218,6 +2424,25 @@
########################################
##
--## Do not audit attempts to manage users
+## Do not audit attempts to write users
+## temporary files.
+##
@@ -35660,11 +36007,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+########################################
+##
-+## Do not audit attempts to manage users
+ ## Do not audit attempts to manage users
## temporary files.
##
- ##
-@@ -2290,6 +2521,46 @@
+@@ -2298,6 +2523,46 @@
########################################
##
## Create, read, write, and delete user
@@ -35711,7 +36057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## temporary symbolic links.
##
##
-@@ -2405,7 +2676,7 @@
+@@ -2413,7 +2678,7 @@
########################################
##
@@ -35720,7 +36066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -2413,19 +2684,21 @@
+@@ -2421,19 +2686,21 @@
##
##
#
@@ -35746,7 +36092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -2433,15 +2706,14 @@
+@@ -2441,15 +2708,14 @@
##
##
#
@@ -35766,7 +36112,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2763,7 +3035,7 @@
+@@ -2467,7 +2733,7 @@
+ type user_tty_device_t;
+ ')
+
+- allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
++ allow $1 user_tty_device_t:chr_file getattr;
+ ')
+
+ ########################################
+@@ -2485,7 +2751,7 @@
+ type user_tty_device_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
++ dontaudit $1 user_tty_device_t:chr_file getattr;
+ ')
+
+ ########################################
+@@ -2503,7 +2769,7 @@
+ type user_tty_device_t;
+ ')
+
+- allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
++ allow $1 user_tty_device_t:chr_file setattr;
+ ')
+
+ ########################################
+@@ -2521,7 +2787,7 @@
+ type user_tty_device_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
++ dontaudit $1 user_tty_device_t:chr_file setattr;
+ ')
+
+ ########################################
+@@ -2787,7 +3053,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -35775,7 +36157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2779,11 +3051,33 @@
+@@ -2803,11 +3069,33 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -35811,7 +36193,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2898,6 +3192,25 @@
+@@ -2848,23 +3136,14 @@
+
+ ########################################
+ ##
+-## Do not audit attempts to inherit the file descriptors
+-## from unprivileged user domains.
++## Do not audit attempts to inherit the
++## file descriptors from all user domains.
+ ##
+-##
+-##
+-## Do not audit attempts to inherit the file descriptors
+-## from unprivileged user domains. This will supress
+-## SELinux denial messages when the specified domain is denied
+-## the permission to inherit these file descriptors.
+-##
+-##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`userdom_dontaudit_use_unpriv_user_fds',`
+ gen_require(`
+@@ -2931,6 +3210,25 @@
########################################
##
@@ -35837,7 +36246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Write all users files in /tmp
##
##
-@@ -2911,7 +3224,43 @@
+@@ -2944,7 +3242,43 @@
type user_tmp_t;
')
@@ -35882,7 +36291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2948,6 +3297,7 @@
+@@ -2981,6 +3315,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -35890,7 +36299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3078,3 +3428,674 @@
+@@ -3111,3 +3446,674 @@
allow $1 userdomain:dbus send_msg;
')
@@ -36565,9 +36974,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ dontaudit $1 admin_home_t:file getattr;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.10/policy/modules/system/userdomain.te
---- nsaserefpolicy/policy/modules/system/userdomain.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/userdomain.te 2010-02-23 15:54:38.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.11/policy/modules/system/userdomain.te
+--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-03-03 23:26:37.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/userdomain.te 2010-03-03 23:48:01.000000000 -0500
@@ -8,13 +8,6 @@
##
@@ -36656,9 +37065,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+')
+
+allow userdomain userdomain:process signull;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.10/policy/modules/system/xen.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.11/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/xen.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/xen.if 2010-03-03 23:48:01.000000000 -0500
@@ -180,6 +180,25 @@
########################################
@@ -36695,9 +37104,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
+ typeattribute $1 xm_transition_domain;
domtrans_pattern($1, xm_exec_t, xm_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.10/policy/modules/system/xen.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.11/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/xen.te 2010-03-01 11:58:29.000000000 -0500
++++ serefpolicy-3.7.11/policy/modules/system/xen.te 2010-03-03 23:48:01.000000000 -0500
@@ -5,6 +5,7 @@
#
# Declarations
@@ -36797,9 +37206,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.10/policy/support/misc_patterns.spt
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.11/policy/support/misc_patterns.spt
--- nsaserefpolicy/policy/support/misc_patterns.spt 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/support/misc_patterns.spt 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/support/misc_patterns.spt 2010-03-03 23:48:01.000000000 -0500
@@ -15,7 +15,7 @@
domain_transition_pattern($1,$2,$3)
@@ -36818,9 +37227,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns
allow $3 $1:process sigchld;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.10/policy/support/obj_perm_sets.spt
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.11/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/support/obj_perm_sets.spt 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/support/obj_perm_sets.spt 2010-03-03 23:48:01.000000000 -0500
@@ -28,7 +28,7 @@
#
# All socket classes.
@@ -36911,9 +37320,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
+define(`all_dbus_perms', `{ acquire_svc send_msg } ')
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.10/policy/users
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.11/policy/users
--- nsaserefpolicy/policy/users 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.10/policy/users 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.11/policy/users 2010-03-03 23:48:01.000000000 -0500
@@ -6,7 +6,7 @@
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])