diff --git a/modules-minimum.conf b/modules-minimum.conf
index eb63f27..22ee2d8 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -132,6 +132,13 @@ audioentropy = module
authlogin = base
# Layer: services
+# Module: asterisk
+#
+# Asterisk IP telephony server
+#
+asterisk = module
+
+# Layer: services
# Module: automount
#
# Filesystem automounter service.
diff --git a/modules-targeted.conf b/modules-targeted.conf
index eb63f27..22ee2d8 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -132,6 +132,13 @@ audioentropy = module
authlogin = base
# Layer: services
+# Module: asterisk
+#
+# Asterisk IP telephony server
+#
+asterisk = module
+
+# Layer: services
# Module: automount
#
# Filesystem automounter service.
diff --git a/policy-F12.patch b/policy-F12.patch
index 012eb6e..7ba2d75 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -239,9 +239,44 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.6.32/policy/modules/admin/kismet.fc
+--- nsaserefpolicy/policy/modules/admin/kismet.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/admin/kismet.fc 2009-11-09 13:11:24.000000000 -0500
+@@ -1,3 +1,5 @@
++HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0)
++
+ /usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
+ /var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0)
+ /var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.32/policy/modules/admin/kismet.te
+--- nsaserefpolicy/policy/modules/admin/kismet.te 2009-08-31 13:30:04.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/admin/kismet.te 2009-11-09 13:10:35.000000000 -0500
+@@ -26,6 +26,9 @@
+ type kismet_var_run_t;
+ files_pid_file(kismet_var_run_t)
+
++type kismet_home_t;
++userdom_user_home_content(kismet_home_t)
++
+ ########################################
+ #
+ # kismet local policy
+@@ -59,6 +62,12 @@
+ allow kismet_t kismet_var_run_t:dir manage_dir_perms;
+ files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
+
++manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t)
++manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
++manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
++userdom_search_user_home_dirs(kismet_t)
++userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
++
+ kernel_search_debugfs(kismet_t)
+ kernel_read_system_state(kismet_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.32/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2009-11-09 11:59:58.000000000 -0500
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -262,10 +297,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_system_entry(logrotate_t, logrotate_exec_t)
cron_search_spool(logrotate_t)
-@@ -149,6 +150,10 @@
+@@ -149,6 +150,14 @@
')
optional_policy(`
++ asterisk_stream_connect(logrotate_t)
++')
++
++optional_policy(`
+ bind_manage_cache(logrotate_t)
+')
+
@@ -273,7 +312,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
consoletype_exec(logrotate_t)
')
-@@ -183,6 +188,10 @@
+@@ -183,6 +192,10 @@
')
optional_policy(`
@@ -661,7 +700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-10-28 08:45:03.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-11-06 14:38:19.000000000 -0500
@@ -13,11 +13,34 @@
interface(`rpm_domtrans',`
gen_require(`
@@ -922,7 +961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -265,6 +470,47 @@
+@@ -265,6 +470,48 @@
########################################
##
@@ -961,6 +1000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+
+ files_search_var_lib($1)
++ manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+')
@@ -970,13 +1010,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
##
-@@ -283,3 +529,81 @@
+@@ -283,3 +530,99 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
+
+#####################################
+##
++## Read rpm pid files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpm_read_pid_files',`
++ gen_require(`
++ type rpm_var_run_t;
++ ')
++
++ read_files_pattern($1,rpm_var_run_t,rpm_var_run_t)
++')
++
++#####################################
++##
+## Create, read, write, and delete rpm pid files.
+##
+##
@@ -1054,7 +1112,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.32/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.te 2009-11-02 09:42:29.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.te 2009-11-09 12:10:46.000000000 -0500
@@ -15,6 +15,9 @@
domain_interactive_fd(rpm_t)
role system_r types rpm_t;
@@ -1571,8 +1629,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
locallogin_dontaudit_use_fds(tzdata_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.32/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/usermanage.if 2009-09-30 16:12:48.000000000 -0400
-@@ -274,6 +274,11 @@
++++ serefpolicy-3.6.32/policy/modules/admin/usermanage.if 2009-11-09 09:42:20.000000000 -0500
+@@ -113,6 +113,12 @@
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, passwd_exec_t, passwd_t)
++
++ifdef(`hide_broken_symptoms', `
++ dontaudit passwd_t $1:unix_stream_socket rw_socket_perms;
++ dontaudit passwd_t $1:unix_dgram_socket rw_socket_perms;
++ dontaudit passwd_t $1:tcp_socket rw_socket_perms;
++')
+ ')
+
+ ########################################
+@@ -274,6 +280,11 @@
usermanage_domtrans_useradd($1)
role $2 types useradd_t;
@@ -1971,7 +2042,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.6.32/policy/modules/apps/execmem.fc
--- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-11-04 09:08:16.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-11-09 15:54:53.000000000 -0500
@@ -0,0 +1,39 @@
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2007,7 +2078,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
-+/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
@@ -3045,6 +3116,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_rw_lvm_control_dev(loadkeys_t)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc serefpolicy-3.6.32/policy/modules/apps/mono.fc
+--- nsaserefpolicy/policy/modules/apps/mono.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/mono.fc 2009-11-09 12:10:45.000000000 -0500
+@@ -1 +1 @@
+-/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0)
++/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.32/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/apps/mono.if 2009-10-17 07:22:40.000000000 -0400
@@ -3258,7 +3335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.32/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-10-29 08:54:49.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-11-09 13:10:04.000000000 -0500
@@ -59,6 +59,7 @@
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
@@ -5754,7 +5831,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-11-03 12:03:04.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-11-09 13:55:03.000000000 -0500
@@ -65,6 +65,7 @@
type server_packet_t, packet_type, server_packet_type;
@@ -5851,7 +5928,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
network_port(spamd, tcp,783,s0)
network_port(speech, tcp,8036,s0)
- network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+-network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
++network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0, tcp,9000,s0) # snmp and htcp
network_port(ssh, tcp,22,s0)
+network_port(streaming, tcp, 1755, s0, udp, 1755, s0)
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
@@ -5950,7 +6028,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2009-10-29 14:35:22.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2009-11-09 13:41:27.000000000 -0500
@@ -1692,6 +1692,78 @@
########################################
@@ -6672,7 +6750,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/nfs/rpc_pipefs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-11-02 09:23:57.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-11-09 16:26:24.000000000 -0500
@@ -110,6 +110,11 @@
##
#
@@ -6723,7 +6801,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Remove entries from the root directory.
##
##
-@@ -1715,6 +1736,25 @@
+@@ -1487,6 +1508,25 @@
+
+ ########################################
+ ##
++## read files in the /boot directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_read_boot_files',`
++ gen_require(`
++ type boot_t;
++ ')
++
++ manage_files_pattern($1, boot_t, boot_t)
++')
++
++########################################
++##
+ ## Create, read, write, and delete files
+ ## in the /boot directory.
+ ##
+@@ -1715,6 +1755,25 @@
########################################
##
@@ -6749,7 +6853,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Mount a filesystem on a directory with the default file type.
##
##
-@@ -1931,6 +1971,28 @@
+@@ -1931,6 +1990,28 @@
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -6778,7 +6882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2418,6 +2480,11 @@
+@@ -2418,6 +2499,11 @@
')
delete_files_pattern($1, file_t, file_t)
@@ -6790,7 +6894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3320,6 +3387,32 @@
+@@ -3320,6 +3406,32 @@
########################################
##
@@ -6823,7 +6927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Manage temporary files and directories in /tmp.
##
##
-@@ -3449,6 +3542,24 @@
+@@ -3449,6 +3561,24 @@
########################################
##
@@ -6848,7 +6952,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read all tmp files.
##
##
-@@ -3515,6 +3626,8 @@
+@@ -3515,6 +3645,8 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -6857,7 +6961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3623,7 +3736,12 @@
+@@ -3623,7 +3755,12 @@
type usr_t;
')
@@ -6871,7 +6975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3662,6 +3780,7 @@
+@@ -3662,6 +3799,7 @@
allow $1 usr_t:dir list_dir_perms;
read_files_pattern($1, usr_t, usr_t)
read_lnk_files_pattern($1, usr_t, usr_t)
@@ -6879,7 +6983,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -4188,6 +4307,24 @@
+@@ -4188,6 +4326,24 @@
########################################
##
@@ -6904,7 +7008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Search the /var/lib directory.
##
##
-@@ -4955,7 +5092,7 @@
+@@ -4955,7 +5111,7 @@
selinux_compute_member($1)
# Need sys_admin capability for mounting
@@ -6913,7 +7017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Need to give access to the directories to be polyinstantiated
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-@@ -4977,12 +5114,15 @@
+@@ -4977,12 +5133,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -6930,7 +7034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -5003,3 +5143,173 @@
+@@ -5003,3 +5162,173 @@
typeattribute $1 files_unconfined_type;
')
@@ -7142,8 +7246,44 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-10-29 08:53:01.000000000 -0400
-@@ -1149,6 +1149,44 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-11-09 16:33:29.000000000 -0500
+@@ -290,7 +290,7 @@
+
+ ########################################
+ ##
+-## Read and write files on anon_inodefs
++## Dontaudit Read and write files on anon_inodefs
+ ## file systems.
+ ##
+ ##
+@@ -310,6 +310,26 @@
+
+ ########################################
+ ##
++## Dontaudit Read and write files on anon_inodefs
++## file systems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_dontaudit_rw_anon_inodefs_files',`
++ gen_require(`
++ type anon_inodefs_t;
++
++ ')
++
++ dontaudit $1 anon_inodefs_t:file { read write };
++')
++
++########################################
++##
+ ## Mount an automount pseudo filesystem.
+ ##
+ ##
+@@ -1149,6 +1169,44 @@
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -7188,7 +7328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Mount a DOS filesystem, such as
-@@ -1537,6 +1575,24 @@
+@@ -1537,6 +1595,24 @@
########################################
##
@@ -7213,7 +7353,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Search inotifyfs filesystem.
##
##
-@@ -2542,6 +2598,42 @@
+@@ -2542,6 +2618,42 @@
########################################
##
@@ -7256,7 +7396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write NFS server files.
##
##
-@@ -3971,3 +4063,122 @@
+@@ -3971,3 +4083,122 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -7416,7 +7556,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Rules for all filesystem types
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.32/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/kernel.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/kernel.if 2009-11-09 11:35:02.000000000 -0500
@@ -485,6 +485,25 @@
########################################
@@ -7443,7 +7583,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Get information on all System V IPC objects.
##
##
-@@ -1807,7 +1826,7 @@
+@@ -922,6 +941,28 @@
+
+ ########################################
+ ##
++## Allows caller to read th core kernel interface.
++##
++##
++##
++## The process type getting the attibutes.
++##
++##
++#
++interface(`kernel_read_core_if',`
++ gen_require(`
++ type proc_t, proc_kcore_t;
++ attribute can_dump_kernel;
++ ')
++
++ read_files_pattern($1, proc_t, proc_kcore_t)
++ list_dirs_pattern($1, proc_t, proc_t)
++
++ typeattribute $1 can_dump_kernel;
++')
++
++########################################
++##
+ ## Do not audit attempts to get the attributes of
+ ## core kernel interfaces.
+ ##
+@@ -1807,7 +1848,7 @@
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -7452,7 +7621,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2621,6 +2640,24 @@
+@@ -2621,6 +2662,24 @@
########################################
##
@@ -7477,7 +7646,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Unconfined access to kernel module resources.
##
##
-@@ -2636,3 +2673,22 @@
+@@ -2636,3 +2695,22 @@
typeattribute $1 kern_unconfined;
')
@@ -7502,8 +7671,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.32/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/kernel.te 2009-09-30 16:12:48.000000000 -0400
-@@ -63,6 +63,15 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/kernel.te 2009-11-09 11:35:13.000000000 -0500
+@@ -9,6 +9,7 @@
+ # assertion related attributes
+ attribute can_load_kernmodule;
+ attribute can_receive_kernel_messages;
++attribute can_dump_kernel;
+
+ neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
+
+@@ -63,6 +64,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
#
@@ -7519,7 +7696,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# kvmFS
#
-@@ -165,6 +174,7 @@
+@@ -90,7 +100,7 @@
+
+ # /proc kcore: inaccessible
+ type proc_kcore_t, proc_type;
+-neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
++neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
+ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
+
+ type proc_mdstat_t, proc_type;
+@@ -165,6 +175,7 @@
#
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -7527,7 +7713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -255,7 +265,8 @@
+@@ -255,7 +266,8 @@
selinux_load_policy(kernel_t)
@@ -7537,7 +7723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -269,6 +280,8 @@
+@@ -269,6 +281,8 @@
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -7546,7 +7732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mcs_process_set_categories(kernel_t)
-@@ -276,12 +289,18 @@
+@@ -276,12 +290,18 @@
mls_process_write_down(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
@@ -7565,7 +7751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -355,7 +374,11 @@
+@@ -355,7 +375,11 @@
')
optional_policy(`
@@ -7578,7 +7764,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -387,3 +410,5 @@
+@@ -387,3 +411,5 @@
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
@@ -7688,7 +7874,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.32/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-10-29 08:39:50.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-11-09 13:31:28.000000000 -0500
@@ -196,7 +196,7 @@
dev_list_all_dev_nodes($1)
@@ -7760,6 +7946,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Read and write the controlling
+@@ -991,10 +1029,12 @@
+ interface(`term_use_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
++ type console_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tty_device_t:chr_file rw_chr_file_perms;
++ allow $1 console_device_t:chr_file rw_chr_file_perms;
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.6.32/policy/modules/kernel/terminal.te
--- nsaserefpolicy/policy/modules/kernel/terminal.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.te 2009-09-30 16:12:48.000000000 -0400
@@ -7996,7 +8195,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.32/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/roles/sysadm.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/roles/sysadm.te 2009-11-09 16:32:50.000000000 -0500
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -8006,7 +8205,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`enable_mls',`
userdom_security_admin_template(sysadm_t, sysadm_r)
-@@ -35,6 +35,7 @@
+@@ -35,10 +35,13 @@
ubac_fd_exempt(sysadm_t)
init_exec(sysadm_t)
@@ -8014,7 +8213,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
-@@ -70,7 +71,6 @@
+ userdom_home_filetrans_user_home_dir(sysadm_t)
++userdom_manage_user_tmp_chr_files(sysadm_t)
++userdom_manage_user_tmp_blk_files(sysadm_t)
+
+ ifdef(`direct_sysadm_daemon',`
+ optional_policy(`
+@@ -70,7 +73,6 @@
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -8022,7 +8227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -87,10 +87,6 @@
+@@ -87,10 +89,6 @@
')
optional_policy(`
@@ -8033,7 +8238,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
backup_run(sysadm_t, sysadm_r)
')
-@@ -99,18 +95,10 @@
+@@ -99,18 +97,10 @@
')
optional_policy(`
@@ -8052,7 +8257,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -127,7 +115,7 @@
+@@ -127,7 +117,7 @@
')
optional_policy(`
@@ -8061,7 +8266,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -135,10 +123,6 @@
+@@ -135,10 +125,6 @@
')
optional_policy(`
@@ -8072,7 +8277,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dcc_run_cdcc(sysadm_t, sysadm_r)
dcc_run_client(sysadm_t, sysadm_r)
dcc_run_dbclean(sysadm_t, sysadm_r)
-@@ -166,10 +150,6 @@
+@@ -166,10 +152,6 @@
')
optional_policy(`
@@ -8083,7 +8288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
firstboot_run(sysadm_t, sysadm_r)
')
-@@ -178,22 +158,6 @@
+@@ -178,22 +160,6 @@
')
optional_policy(`
@@ -8106,7 +8311,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_run(sysadm_t, sysadm_r)
')
-@@ -205,6 +169,8 @@
+@@ -205,6 +171,8 @@
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -8115,7 +8320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -212,11 +178,7 @@
+@@ -212,11 +180,7 @@
')
optional_policy(`
@@ -8128,7 +8333,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -228,10 +190,6 @@
+@@ -228,10 +192,6 @@
')
optional_policy(`
@@ -8139,7 +8344,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logrotate_run(sysadm_t, sysadm_r)
')
-@@ -255,14 +213,6 @@
+@@ -255,14 +215,6 @@
')
optional_policy(`
@@ -8154,7 +8359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mta_role(sysadm_r, sysadm_t)
')
-@@ -290,11 +240,6 @@
+@@ -290,11 +242,6 @@
')
optional_policy(`
@@ -8166,7 +8371,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
pcmcia_run_cardctl(sysadm_t, sysadm_r)
')
-@@ -308,7 +253,7 @@
+@@ -308,7 +255,7 @@
')
optional_policy(`
@@ -8175,7 +8380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -320,10 +265,6 @@
+@@ -320,10 +267,6 @@
')
optional_policy(`
@@ -8186,7 +8391,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rpc_domtrans_nfsd(sysadm_t)
')
-@@ -332,10 +273,6 @@
+@@ -332,10 +275,6 @@
')
optional_policy(`
@@ -8197,7 +8402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rsync_exec(sysadm_t)
')
-@@ -345,10 +282,6 @@
+@@ -345,10 +284,6 @@
')
optional_policy(`
@@ -8208,7 +8413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
secadm_role_change(sysadm_r)
')
-@@ -358,35 +291,15 @@
+@@ -358,35 +293,15 @@
')
optional_policy(`
@@ -8244,7 +8449,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -394,18 +307,10 @@
+@@ -394,18 +309,10 @@
')
optional_policy(`
@@ -8263,7 +8468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domtrans(sysadm_t)
')
-@@ -418,17 +323,13 @@
+@@ -418,17 +325,13 @@
')
optional_policy(`
@@ -8282,7 +8487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -440,13 +341,12 @@
+@@ -440,13 +343,12 @@
')
optional_policy(`
@@ -8956,8 +9161,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-10-29 17:52:13.000000000 -0400
-@@ -0,0 +1,428 @@
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-11-09 15:10:48.000000000 -0500
+@@ -0,0 +1,424 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -9070,10 +9275,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+optional_policy(`
-+ loadkeys_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
+ gen_require(`
+ attribute unconfined_usertype;
+ ')
@@ -9706,8 +9907,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-04 08:52:56.000000000 -0500
-@@ -38,7 +38,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-09 17:18:29.000000000 -0500
+@@ -33,12 +33,16 @@
+ type abrt_var_run_t;
+ files_pid_file(abrt_var_run_t)
+
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
++')
++
+ ########################################
+ #
# abrt local policy
#
@@ -9716,7 +9926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow abrt_t self:process { signal signull setsched getsched };
allow abrt_t self:fifo_file rw_fifo_file_perms;
-@@ -60,13 +60,15 @@
+@@ -60,13 +64,15 @@
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
# abrt var/cache files
@@ -9734,22 +9944,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
kernel_read_ring_buffer(abrt_t)
-@@ -75,11 +77,14 @@
+@@ -75,11 +81,17 @@
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
+corecmd_read_all_executables(abrt_t)
corenet_tcp_connect_http_port(abrt_t)
++corenet_tcp_connect_ftp_port(abrt_t)
++corenet_tcp_connect_all_ports(abrt_t)
dev_read_urand(abrt_t)
++domain_read_all_domains_state(abrt_t)
+domain_signull_all_domains(abrt_t)
+
files_getattr_all_files(abrt_t)
files_read_etc_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -96,22 +101,36 @@
+@@ -96,22 +108,37 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -9757,8 +9970,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-# read ~/.abrt/Bugzilla.conf
-userdom_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_user_home_content_files(abrt_t)
-+
-+optional_policy(`
+
+ optional_policy(`
+- dbus_connect_system_bus(abrt_t)
+- dbus_system_bus_client(abrt_t)
+ dbus_system_domain(abrt_t, abrt_exec_t)
+')
+
@@ -9766,10 +9981,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ nsplugin_read_rw_files(abrt_t)
+ nsplugin_read_home(abrt_t)
+')
-
- optional_policy(`
-- dbus_connect_system_bus(abrt_t)
-- dbus_system_bus_client(abrt_t)
++
++optional_policy(`
+ policykit_dbus_chat(abrt_t)
+ policykit_domtrans_auth(abrt_t)
+ policykit_read_lib(abrt_t)
@@ -9782,6 +9995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- rpm_domtrans(abrt_t)
+ rpm_manage_cache(abrt_t)
+ rpm_read_db(abrt_t)
++ rpm_read_pid_files(abrt_t)
+ rpm_exec(abrt_t)
+ rpm_dontaudit_manage_db(abrt_t)
+ rpm_signull(abrt_t)
@@ -9833,7 +10047,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/cman_.* -s gen_context(system_u:object_r:aisexec_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.6.32/policy/modules/services/aisexec.if
--- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/aisexec.if 2009-10-23 09:31:29.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/aisexec.if 2009-11-09 11:58:57.000000000 -0500
@@ -0,0 +1,106 @@
+## SELinux policy for Aisexec Cluster Engine
+
@@ -11598,10 +11812,49 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:unix_dgram_socket create_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.6.32/policy/modules/services/asterisk.if
+--- nsaserefpolicy/policy/modules/services/asterisk.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/asterisk.if 2009-11-09 12:03:06.000000000 -0500
+@@ -1,5 +1,26 @@
+ ## Asterisk IP telephony server
+
++#####################################
++##
++## Connect to asterisk over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`asterisk_stream_connect',`
++ gen_require(`
++ type asterisk_t, asterisk_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t)
++')
++
++
+ ########################################
+ ##
+ ## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.6.32/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2009-11-03 12:04:14.000000000 -0500
-@@ -97,6 +97,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2009-11-09 12:04:26.000000000 -0500
+@@ -34,6 +34,8 @@
+ type asterisk_var_run_t;
+ files_pid_file(asterisk_var_run_t)
+
++permissive asterisk_t;
++
+ ########################################
+ #
+ # Local policy
+@@ -97,6 +99,7 @@
corenet_udp_bind_generic_node(asterisk_t)
corenet_tcp_bind_asterisk_port(asterisk_t)
corenet_udp_bind_asterisk_port(asterisk_t)
@@ -11611,8 +11864,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_generic_port(asterisk_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.32/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/automount.te 2009-09-30 16:12:48.000000000 -0400
-@@ -129,6 +129,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/automount.te 2009-11-09 08:40:15.000000000 -0500
+@@ -75,6 +75,7 @@
+
+ fs_mount_all_fs(automount_t)
+ fs_unmount_all_fs(automount_t)
++fs_search_all(automount_t)
+
+ corecmd_exec_bin(automount_t)
+ corecmd_exec_shell(automount_t)
+@@ -129,6 +130,7 @@
fs_unmount_autofs(automount_t)
fs_mount_autofs(automount_t)
fs_manage_autofs_symlinks(automount_t)
@@ -12643,7 +12904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.6.32/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/corosync.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/corosync.te 2009-11-09 09:52:50.000000000 -0500
@@ -0,0 +1,109 @@
+
+policy_module(corosync,1.0.0)
@@ -12685,7 +12946,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+
+allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
-+allow corosync_t self:process { setsched signal };
++allow corosync_t self:process { setrlimit setsched signal };
+
+allow corosync_t self:fifo_file rw_fifo_file_perms;
+allow corosync_t self:sem create_sem_perms;
@@ -12959,7 +13220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.32/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/cron.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/cron.te 2009-11-09 17:18:07.000000000 -0500
@@ -38,6 +38,7 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -13743,7 +14004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1 devicekit_t:process { ptrace signal_perms getattr };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.32/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/devicekit.te 2009-10-22 11:15:43.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/devicekit.te 2009-11-05 08:28:20.000000000 -0500
@@ -36,12 +36,15 @@
manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -13783,7 +14044,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_setsched(devicekit_disk_t)
corecmd_exec_bin(devicekit_disk_t)
-@@ -79,21 +87,34 @@
+@@ -79,21 +87,35 @@
dev_rw_sysfs(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
dev_getattr_usbfs_dirs(devicekit_disk_t)
@@ -13808,6 +14069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_mount_all_fs(devicekit_disk_t)
fs_unmount_all_fs(devicekit_disk_t)
-fs_manage_fusefs_dirs(devicekit_disk_t)
++fs_search_all(devicekit_disk_t)
storage_raw_read_fixed_disk(devicekit_disk_t)
storage_raw_write_fixed_disk(devicekit_disk_t)
@@ -13819,7 +14081,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(devicekit_disk_t)
miscfiles_read_localization(devicekit_disk_t)
-@@ -110,6 +131,7 @@
+@@ -110,6 +132,7 @@
')
optional_policy(`
@@ -13827,7 +14089,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(devicekit_disk_t)
policykit_read_lib(devicekit_disk_t)
policykit_read_reload(devicekit_disk_t)
-@@ -134,14 +156,26 @@
+@@ -134,14 +157,26 @@
udev_read_db(devicekit_disk_t)
')
@@ -13855,7 +14117,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
-@@ -151,6 +185,7 @@
+@@ -151,6 +186,7 @@
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
@@ -13863,7 +14125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
-@@ -159,6 +194,7 @@
+@@ -159,6 +195,7 @@
domain_read_all_domains_state(devicekit_power_t)
@@ -13871,7 +14133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
-@@ -167,12 +203,17 @@
+@@ -167,12 +204,17 @@
files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
@@ -13889,7 +14151,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_read_all_users_state(devicekit_power_t)
optional_policy(`
-@@ -180,8 +221,11 @@
+@@ -180,8 +222,11 @@
')
optional_policy(`
@@ -13902,7 +14164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow devicekit_power_t devicekit_t:dbus send_msg;
optional_policy(`
-@@ -203,17 +247,23 @@
+@@ -203,17 +248,23 @@
optional_policy(`
hal_domtrans_mac(devicekit_power_t)
@@ -14842,7 +15104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/hal.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/hal.te 2009-11-09 13:39:05.000000000 -0500
@@ -55,6 +55,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -14875,7 +15137,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_getattr_all_mountpoints(hald_t)
mls_file_read_all_levels(hald_t)
-@@ -202,8 +212,10 @@
+@@ -197,13 +207,16 @@
+ miscfiles_read_hwdata(hald_t)
+
+ modutils_domtrans_insmod(hald_t)
++modutils_read_module_deps(hald_t)
+
+ seutil_read_config(hald_t)
seutil_read_default_contexts(hald_t)
seutil_read_file_contexts(hald_t)
@@ -14887,7 +15155,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_user_home_dirs(hald_t)
-@@ -290,6 +302,7 @@
+@@ -290,6 +303,7 @@
')
optional_policy(`
@@ -14895,7 +15163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(hald_t)
policykit_domtrans_resolve(hald_t)
policykit_read_lib(hald_t)
-@@ -321,6 +334,10 @@
+@@ -321,6 +335,10 @@
virt_manage_images(hald_t)
')
@@ -14906,7 +15174,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Hal acl local policy
-@@ -341,6 +358,7 @@
+@@ -341,6 +359,7 @@
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -14914,7 +15182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(hald_acl_t)
-@@ -357,6 +375,8 @@
+@@ -357,6 +376,8 @@
files_read_usr_files(hald_acl_t)
files_read_etc_files(hald_acl_t)
@@ -14923,7 +15191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_getattr_removable_dev(hald_acl_t)
storage_setattr_removable_dev(hald_acl_t)
storage_getattr_fixed_disk_dev(hald_acl_t)
-@@ -369,6 +389,7 @@
+@@ -369,6 +390,7 @@
miscfiles_read_localization(hald_acl_t)
optional_policy(`
@@ -14931,7 +15199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(hald_acl_t)
policykit_read_lib(hald_acl_t)
policykit_read_reload(hald_acl_t)
-@@ -450,12 +471,16 @@
+@@ -450,12 +472,16 @@
miscfiles_read_localization(hald_keymap_t)
@@ -14950,7 +15218,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow hald_dccm_t self:process getsched;
allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
allow hald_dccm_t self:udp_socket create_socket_perms;
-@@ -469,10 +494,22 @@
+@@ -469,10 +495,22 @@
manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_dccm_t)
@@ -14973,7 +15241,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(hald_dccm_t)
corenet_all_recvfrom_netlabel(hald_dccm_t)
corenet_tcp_sendrecv_generic_if(hald_dccm_t)
-@@ -484,6 +521,7 @@
+@@ -484,6 +522,7 @@
corenet_tcp_bind_generic_node(hald_dccm_t)
corenet_udp_bind_generic_node(hald_dccm_t)
corenet_udp_bind_dhcpc_port(hald_dccm_t)
@@ -14981,7 +15249,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_dccm_port(hald_dccm_t)
logging_send_syslog_msg(hald_dccm_t)
-@@ -491,3 +529,7 @@
+@@ -491,3 +530,7 @@
files_read_usr_files(hald_dccm_t)
miscfiles_read_localization(hald_dccm_t)
@@ -16873,6 +17141,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.6.32/policy/modules/services/pcscd.if
+--- nsaserefpolicy/policy/modules/services/pcscd.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/pcscd.if 2009-11-09 09:06:23.000000000 -0500
+@@ -53,6 +53,5 @@
+ ')
+
+ files_search_pids($1)
+- allow $1 pcscd_var_run_t:sock_file write;
+- allow $1 pcscd_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.32/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/pcscd.te 2009-10-29 14:35:35.000000000 -0400
@@ -19932,7 +20211,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.32/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2009-11-09 13:15:31.000000000 -0500
@@ -53,7 +53,7 @@
# RPC local policy
#
@@ -20005,7 +20284,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
-@@ -199,6 +211,8 @@
+@@ -199,10 +211,13 @@
mount_signal(gssd_t)
@@ -20014,6 +20293,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_user_tmp(gssd_t)
userdom_read_user_tmp_files(gssd_t)
+ userdom_read_user_tmp_symlinks(gssd_t)
++ userdom_dontaudit_write_user_tmp_files(gssd_t)
+ ')
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.32/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/rsync.te 2009-09-30 16:12:48.000000000 -0400
@@ -20061,7 +20345,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_can_read_shadow_passwords(rsync_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.6.32/policy/modules/services/rtkit.if
--- nsaserefpolicy/policy/modules/services/rtkit.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/rtkit.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/rtkit.if 2009-11-06 14:26:20.000000000 -0500
@@ -38,3 +38,23 @@
allow $1 rtkit_daemon_t:dbus send_msg;
allow rtkit_daemon_t $1:dbus send_msg;
@@ -23532,8 +23816,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-09-09 15:37:17.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-11-04 08:31:23.000000000 -0500
-@@ -89,8 +89,8 @@
++++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-11-09 15:37:59.000000000 -0500
+@@ -74,6 +74,12 @@
+
+ domtrans_pattern($2, iceauth_exec_t, iceauth_t)
+
++ifdef(`hide_broken_symptoms', `
++ dontaudit iceauth_t $2:unix_stream_socket rw_socket_perms;
++ dontaudit iceauth_t $2:tcp_socket rw_socket_perms;
++ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
++')
++
+ allow $2 iceauth_home_t:file read_file_perms;
+
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
+@@ -89,8 +95,8 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
allow $2 xdm_t:fifo_file { getattr read write ioctl };
@@ -23544,7 +23841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit $2 xdm_t:tcp_socket { read write };
# Client read xserver shm
-@@ -211,6 +211,7 @@
+@@ -211,6 +217,7 @@
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -23552,7 +23849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -245,7 +246,7 @@
+@@ -245,7 +252,7 @@
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -23561,7 +23858,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -299,7 +300,7 @@
+@@ -299,7 +306,7 @@
interface(`xserver_user_client',`
refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
gen_require(`
@@ -23570,7 +23867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
')
-@@ -308,14 +309,14 @@
+@@ -308,14 +315,14 @@
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -23590,7 +23887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit $1 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -367,7 +368,6 @@
+@@ -367,7 +374,6 @@
type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
type xevent_t, client_xevent_t;
@@ -23598,7 +23895,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
attribute xproperty_type;
attribute xevent_type;
attribute input_xevent_type;
-@@ -376,6 +376,8 @@
+@@ -376,6 +382,8 @@
class x_property all_x_property_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
@@ -23607,7 +23904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -383,20 +385,11 @@
+@@ -383,20 +391,11 @@
# Local Policy
#
@@ -23628,7 +23925,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive;
allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive;
-@@ -409,8 +402,10 @@
+@@ -409,8 +408,10 @@
type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t;
type_transition $2 client_xevent_t:x_event $1_client_xevent_t;
type_transition $2 xevent_t:x_event $1_default_xevent_t;
@@ -23640,7 +23937,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -484,13 +479,14 @@
+@@ -484,13 +485,14 @@
#
template(`xserver_user_x_domain_template',`
gen_require(`
@@ -23659,7 +23956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Read .Xauthority file
allow $2 xauth_home_t:file read_file_perms;
-@@ -498,9 +494,9 @@
+@@ -498,9 +500,9 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -23672,7 +23969,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -526,6 +522,10 @@
+@@ -526,6 +528,10 @@
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
@@ -23683,7 +23980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -585,6 +585,11 @@
+@@ -585,6 +591,12 @@
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -23691,11 +23988,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ifdef(`hide_broken_symptoms', `
+ dontaudit xauth_t $1:unix_stream_socket rw_socket_perms;
+ dontaudit xauth_t $1:tcp_socket rw_socket_perms;
++ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
+')
')
########################################
-@@ -728,7 +733,7 @@
+@@ -728,7 +740,7 @@
type xdm_t;
')
@@ -23704,7 +24002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -764,11 +769,11 @@
+@@ -764,11 +776,11 @@
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -23718,7 +24016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -802,10 +807,10 @@
+@@ -802,10 +814,10 @@
#
interface(`xserver_setattr_xdm_tmp_dirs',`
gen_require(`
@@ -23731,7 +24029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -821,12 +826,13 @@
+@@ -821,12 +833,13 @@
#
interface(`xserver_create_xdm_tmp_sockets',`
gen_require(`
@@ -23748,7 +24046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -845,7 +851,44 @@
+@@ -845,7 +858,44 @@
')
files_search_pids($1)
@@ -23794,7 +24092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -868,6 +911,75 @@
+@@ -868,6 +918,75 @@
########################################
##
@@ -23870,7 +24168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -886,6 +998,24 @@
+@@ -886,6 +1005,24 @@
########################################
##
@@ -23895,7 +24193,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute an X session in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -961,6 +1091,27 @@
+@@ -961,6 +1098,27 @@
########################################
##
@@ -23923,7 +24221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to write the X server
## log files.
##
-@@ -1014,11 +1165,11 @@
+@@ -1014,11 +1172,11 @@
#
interface(`xserver_read_xdm_tmp_files',`
gen_require(`
@@ -23937,7 +24235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1033,11 +1184,11 @@
+@@ -1033,11 +1191,11 @@
#
interface(`xserver_dontaudit_read_xdm_tmp_files',`
gen_require(`
@@ -23952,7 +24250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1052,11 +1203,11 @@
+@@ -1052,11 +1210,11 @@
#
interface(`xserver_rw_xdm_tmp_files',`
gen_require(`
@@ -23967,7 +24265,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1071,10 +1222,10 @@
+@@ -1071,10 +1229,10 @@
#
interface(`xserver_manage_xdm_tmp_files',`
gen_require(`
@@ -23980,7 +24278,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1089,10 +1240,10 @@
+@@ -1089,10 +1247,10 @@
#
interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
gen_require(`
@@ -23993,7 +24291,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1107,10 +1258,11 @@
+@@ -1107,10 +1265,11 @@
#
interface(`xserver_domtrans',`
gen_require(`
@@ -24006,7 +24304,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domtrans_pattern($1, xserver_exec_t, xserver_t)
')
-@@ -1248,6 +1400,278 @@
+@@ -1248,6 +1407,278 @@
########################################
##
@@ -24285,7 +24583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1261,7 +1685,103 @@
+@@ -1261,7 +1692,103 @@
interface(`xserver_unconfined',`
gen_require(`
attribute xserver_unconfined_type;
@@ -24391,7 +24689,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-11-04 08:32:41.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-11-09 15:38:27.000000000 -0500
@@ -34,6 +34,13 @@
##
@@ -24530,7 +24828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
-@@ -250,23 +269,26 @@
+@@ -250,23 +269,28 @@
# Xauth local policy
#
@@ -24538,6 +24836,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xauth_t self:process signal;
allow xauth_t self:unix_stream_socket create_stream_socket_perms;
++allow xauth_t xdm_t:process sigchld;
++
allow xauth_t xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
+userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file)
@@ -24560,7 +24860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_xattr_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)
-@@ -279,6 +301,11 @@
+@@ -279,6 +303,11 @@
userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
@@ -24572,7 +24872,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_rw_xdm_tmp_files(xauth_t)
tunable_policy(`use_nfs_home_dirs',`
-@@ -300,20 +327,31 @@
+@@ -289,6 +318,11 @@
+ fs_manage_cifs_files(xauth_t)
+ ')
+
++ifdef(`hide_broken_symptoms', `
++ term_dontaudit_use_unallocated_ttys(xauth_t)
++ dev_dontaudit_rw_dri(xauth_t)
++')
++
+ optional_policy(`
+ ssh_sigchld(xauth_t)
+ ssh_read_pipes(xauth_t)
+@@ -300,20 +334,31 @@
# XDM Local policy
#
@@ -24607,7 +24919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -325,26 +363,43 @@
+@@ -325,26 +370,43 @@
# this is ugly, daemons should not create files under /etc!
manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
@@ -24658,7 +24970,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xdm_t xserver_t:process signal;
allow xdm_t xserver_t:unix_stream_socket connectto;
-@@ -358,6 +413,7 @@
+@@ -358,6 +420,7 @@
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xserver_t:shm rw_shm_perms;
@@ -24666,7 +24978,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,10 +422,14 @@
+@@ -366,10 +429,14 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -24682,7 +24994,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
-@@ -389,11 +449,13 @@
+@@ -389,11 +456,13 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -24696,7 +25008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -401,6 +463,7 @@
+@@ -401,6 +470,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -24704,7 +25016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -413,14 +476,17 @@
+@@ -413,14 +483,17 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -24724,7 +25036,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +497,13 @@
+@@ -431,9 +504,13 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -24738,7 +25050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,6 +512,7 @@
+@@ -442,6 +519,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -24746,7 +25058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -450,6 +521,7 @@
+@@ -450,6 +528,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -24754,11 +25066,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -460,10 +532,11 @@
+@@ -460,10 +539,12 @@
logging_read_generic_logs(xdm_t)
+miscfiles_dontaudit_write_fonts(xdm_t)
++miscfiles_search_man_pages(xdm_t)
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
-
@@ -24768,7 +25081,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,6 +545,10 @@
+@@ -472,6 +553,10 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -24779,7 +25092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -504,10 +581,12 @@
+@@ -504,10 +589,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -24792,7 +25105,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -515,12 +594,46 @@
+@@ -515,12 +602,47 @@
')
optional_policy(`
@@ -24800,6 +25113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dbus_role_template(xdm, system_r, xdm_t)
+
+ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
++ xserver_xdm_append_log(xdm_dbusd_t)
+
+ corecmd_bin_entry_type(xdm_t)
+
@@ -24839,7 +25153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_exec(xdm_t)
')
-@@ -542,6 +655,38 @@
+@@ -542,6 +664,38 @@
')
optional_policy(`
@@ -24878,7 +25192,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +695,9 @@
+@@ -550,8 +704,9 @@
')
optional_policy(`
@@ -24890,7 +25204,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -560,7 +706,6 @@
+@@ -560,7 +715,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -24898,7 +25212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +716,10 @@
+@@ -571,6 +725,10 @@
')
optional_policy(`
@@ -24909,7 +25223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xfs_stream_connect(xdm_t)
')
-@@ -587,10 +736,9 @@
+@@ -587,10 +745,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -24921,7 +25235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -602,9 +750,12 @@
+@@ -602,9 +759,12 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -24934,7 +25248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -616,13 +767,14 @@
+@@ -616,13 +776,14 @@
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@@ -24950,7 +25264,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +787,19 @@
+@@ -635,9 +796,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -24970,7 +25284,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -671,7 +833,6 @@
+@@ -671,7 +842,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -24978,7 +25292,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -681,9 +842,12 @@
+@@ -681,9 +851,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -24992,7 +25306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -698,8 +862,12 @@
+@@ -698,8 +871,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -25005,7 +25319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -721,6 +889,7 @@
+@@ -721,6 +898,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -25013,7 +25327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
modutils_domtrans_insmod(xserver_t)
-@@ -743,7 +912,7 @@
+@@ -743,7 +921,7 @@
')
ifdef(`enable_mls',`
@@ -25022,7 +25336,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -775,12 +944,20 @@
+@@ -775,12 +953,20 @@
')
optional_policy(`
@@ -25044,7 +25358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domtrans(xserver_t)
')
-@@ -807,12 +984,12 @@
+@@ -807,12 +993,12 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -25061,7 +25375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Run xkbcomp.
allow xserver_t xkb_var_lib_t:lnk_file read;
-@@ -828,9 +1005,14 @@
+@@ -828,9 +1014,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -25076,7 +25390,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -845,11 +1027,14 @@
+@@ -845,11 +1036,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -25092,7 +25406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -882,6 +1067,8 @@
+@@ -882,6 +1076,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -25101,7 +25415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -906,6 +1093,8 @@
+@@ -906,6 +1102,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -25110,7 +25424,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -973,17 +1162,49 @@
+@@ -973,17 +1171,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -25940,7 +26254,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/init.te 2009-10-28 09:49:31.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/init.te 2009-11-09 16:27:27.000000000 -0500
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart, false)
@@ -27016,6 +27330,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-sysnet_dns_name_resolve(iscsid_t)
+miscfiles_read_localization(iscsid_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.6.32/policy/modules/system/kdump.te
+--- nsaserefpolicy/policy/modules/system/kdump.te 2009-09-09 09:23:16.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/kdump.te 2009-11-09 11:33:54.000000000 -0500
+@@ -29,6 +29,7 @@
+ files_read_kernel_img(kdump_t)
+
+ kernel_read_system_state(kdump_t)
++kernel_read_core_if(kdump_t)
+
+ dev_read_framebuffer(kdump_t)
+ dev_read_sysfs(kdump_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-11-04 09:29:07.000000000 -0500
@@ -27867,7 +28192,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2009-10-09 09:10:29.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2009-11-09 15:19:47.000000000 -0500
@@ -23,6 +23,28 @@
########################################
@@ -27942,6 +28267,40 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to write fonts.
##
##
+@@ -255,6 +315,24 @@
+
+ ########################################
+ ##
++## Allow process to search man pages.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`miscfiles_search_man_pages',`
++ gen_require(`
++ type man_t;
++ ')
++
++ allow $1 man_t:dir search_dir_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to search man pages.
+ ##
+ ##
+@@ -268,7 +346,7 @@
+ type man_t;
+ ')
+
+- dontaudit $1 man_t:dir search;
++ dontaudit $1 man_t:dir search_dir_perms;
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.6.32/policy/modules/system/miscfiles.te
--- nsaserefpolicy/policy/modules/system/miscfiles.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.te 2009-10-09 09:09:07.000000000 -0400
@@ -27968,7 +28327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# gentoo init scripts still manage this file
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.6.32/policy/modules/system/modutils.if
--- nsaserefpolicy/policy/modules/system/modutils.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/modutils.if 2009-10-26 15:15:11.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/modutils.if 2009-11-09 13:38:57.000000000 -0500
@@ -1,5 +1,24 @@
## Policy for kernel module utilities
@@ -28044,7 +28403,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.32/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/modutils.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/modutils.te 2009-11-09 16:33:47.000000000 -0500
@@ -19,6 +19,7 @@
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
@@ -28062,7 +28421,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow depmod_t modules_dep_t:file manage_file_perms;
files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
-@@ -56,6 +57,7 @@
+@@ -56,12 +57,14 @@
domain_use_interactive_fds(depmod_t)
@@ -28070,7 +28429,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_kernel_symbol_table(depmod_t)
files_read_kernel_modules(depmod_t)
files_read_etc_runtime_files(depmod_t)
-@@ -83,7 +85,13 @@
+ files_read_etc_files(depmod_t)
+ files_read_usr_src_files(depmod_t)
+ files_list_usr(depmod_t)
++files_read_boot_files(depmod_t)
+
+ fs_getattr_xattr_fs(depmod_t)
+
+@@ -75,6 +78,14 @@
+ # Read System.map from home directories.
+ files_list_home(depmod_t)
+ userdom_read_user_home_content_files(depmod_t)
++userdom_manage_user_tmp_files(depmod_t)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_read_nfs_files(depmod_t)
++')
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(depmod_t)
++')
+
+ ifdef(`distro_ubuntu',`
+ optional_policy(`
+@@ -83,7 +94,13 @@
')
optional_policy(`
@@ -28084,7 +28465,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -91,19 +99,23 @@
+@@ -91,19 +108,23 @@
# insmod local policy
#
@@ -28110,7 +28491,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_write_proc_files(insmod_t)
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
-@@ -112,6 +124,7 @@
+@@ -112,6 +133,7 @@
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctls(insmod_t)
@@ -28118,7 +28499,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(insmod_t)
corecmd_exec_shell(insmod_t)
-@@ -124,9 +137,7 @@
+@@ -124,9 +146,7 @@
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -28129,11 +28510,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -144,11 +155,14 @@
+@@ -144,11 +164,15 @@
files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
+fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
++fs_mount_rpc_pipefs(insmod_t)
init_rw_initctl(insmod_t)
init_use_fds(insmod_t)
@@ -28144,7 +28526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -157,19 +171,31 @@
+@@ -157,19 +181,31 @@
seutil_read_file_contexts(insmod_t)
@@ -28179,7 +28561,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hotplug_search_config(insmod_t)
')
-@@ -228,7 +254,7 @@
+@@ -228,7 +264,7 @@
can_exec(update_modules_t, update_modules_exec_t)
# manage module loading configuration
@@ -30644,7 +31026,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.gvfs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-11-04 08:52:47.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-11-09 16:32:16.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -32009,6 +32391,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
+@@ -1686,11 +1880,11 @@
+ #
+ interface(`userdom_dontaudit_read_user_home_content_files',`
+ gen_require(`
+- type user_home_t;
++ attribute user_home_type;
+ ')
+
+- dontaudit $1 user_home_t:dir list_dir_perms;
+- dontaudit $1 user_home_t:file read_file_perms;
++ dontaudit $1 user_home_type:dir list_dir_perms;
++ dontaudit $1 user_home_type:file read_file_perms;
+ ')
+
+ ########################################
@@ -1797,19 +1991,32 @@
#
interface(`userdom_exec_user_home_content_files',`
@@ -32057,59 +32454,133 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2391,7 +2599,7 @@
+@@ -2196,7 +2404,7 @@
########################################
##
--## Read user tmpfs files.
-+## Read/Write user tmpfs files.
+-## Do not audit attempts to manage users
++## Do not audit attempts to write users
+ ## temporary files.
##
##
- ##
-@@ -2399,19 +2607,20 @@
+@@ -2205,37 +2413,56 @@
##
##
#
--interface(`userdom_read_user_tmpfs_files',`
-+interface(`userdom_rw_user_tmpfs_files',`
+-interface(`userdom_dontaudit_manage_user_tmp_files',`
++interface(`userdom_dontaudit_write_user_tmp_files',`
gen_require(`
- type user_tmpfs_t;
+ type user_tmp_t;
')
-- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-+ rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
- allow $1 user_tmpfs_t:dir list_dir_perms;
- fs_search_tmpfs($1)
+- dontaudit $1 user_tmp_t:file manage_file_perms;
++ dontaudit $1 user_tmp_t:file write;
')
########################################
##
--## Read user tmpfs files.
-+## Get the attributes of a user domain tty.
+-## Read user temporary symbolic links.
++## Do not audit attempts to manage users
++## temporary files.
##
##
##
-@@ -2419,33 +2628,12 @@
+-## Domain allowed access.
++## Domain to not audit.
##
##
#
--interface(`userdom_rw_user_tmpfs_files',`
-+interface(`userdom_getattr_user_ttys',`
+-interface(`userdom_read_user_tmp_symlinks',`
++interface(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
-- type user_tmpfs_t;
-+ type user_tty_device_t;
+ type user_tmp_t;
')
-- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-- allow $1 user_tmpfs_t:dir list_dir_perms;
-- fs_search_tmpfs($1)
--')
--
--########################################
--##
--## Get the attributes of a user domain tty.
+- read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+- allow $1 user_tmp_t:dir list_dir_perms;
+- files_search_tmp($1)
++ dontaudit $1 user_tmp_t:file manage_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete user
++## Read user temporary symbolic links.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_read_user_tmp_symlinks',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++ allow $1 user_tmp_t:dir list_dir_perms;
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Create, read, write, and delete user
+ ## temporary directories.
+ ##
+ ##
+@@ -2276,6 +2503,46 @@
+ ########################################
+ ##
+ ## Create, read, write, and delete user
++## temporary chr files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_user_tmp_chr_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Create, read, write, and delete user
++## temporary blk files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_manage_user_tmp_blk_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
++ files_search_tmp($1)
++')
++
++########################################
++##
++## Create, read, write, and delete user
+ ## temporary symbolic links.
+ ##
+ ##
+@@ -2391,27 +2658,7 @@
+
+ ########################################
+ ##
+-## Read user tmpfs files.
-##
-##
-##
@@ -32117,17 +32588,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-##
-##
-#
--interface(`userdom_getattr_user_ttys',`
+-interface(`userdom_read_user_tmpfs_files',`
- gen_require(`
-- type user_tty_device_t;
+- type user_tmpfs_t;
- ')
-
-- allow $1 user_tty_device_t:chr_file getattr;
-+ allow $1 user_tty_device_t:chr_file getattr;
- ')
-
- ########################################
-@@ -2749,7 +2937,7 @@
+- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- allow $1 user_tmpfs_t:dir list_dir_perms;
+- fs_search_tmpfs($1)
+-')
+-
+-########################################
+-##
+-## Read user tmpfs files.
++## Read/Write user tmpfs files.
+ ##
+ ##
+ ##
+@@ -2749,7 +2996,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -32136,7 +32614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2765,11 +2953,32 @@
+@@ -2765,11 +3012,32 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -32171,7 +32649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2897,7 +3106,25 @@
+@@ -2897,7 +3165,25 @@
type user_tmp_t;
')
@@ -32198,7 +32676,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2934,6 +3161,7 @@
+@@ -2934,6 +3220,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -32206,7 +32684,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
-@@ -3064,3 +3292,578 @@
+@@ -3064,3 +3351,578 @@
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c2844b2..e146d83 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 41%{?dist}
+Release: 42%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -445,6 +445,25 @@ exit 0
%endif
%changelog
+* Mon Nov 9 2009 Dan Walsh 3.6.32-42
+- Allow kdump to read the kernel core interface
+- Dontaudit abrt read all files in home dir
+- Allow kismet client to write to .kismet dir in homedir
+- Turn on asterisk policy and allow logrotate to communicate with it
+- Allow abrt to manage rpm cache files
+- Rules to allow sysadm_t to install a kernel
+- Allow local_login to read console_device_t to Z series logins
+- Allow automount and devicekit_disk to search all filesystem dirs
+- Allow corosync to setrlimit
+- Allow hal to read modules.dep
+- Fix xdm using pcscd
+- Dontaudit gssd trying to write user_tmp_t, kerberos libary problem.
+- Eliminate transition from unconifned_t to loadkeys_t
+- Dontaudit several leaks to xauth_t
+- Allow xdm_t to search for man pages
+- Allow xdm_dbus to append to xdm log
+
+
* Wed Nov 4 2009 Dan Walsh 3.6.32-41
- Allow podsleuth to send signals to users
- Allow mail agents to getattr on fifo files from apps that execute mail agent