diff --git a/policy-F13.patch b/policy-F13.patch
index b439cb1..8a089cd 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -1797,7 +1797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.19/policy/modules/admin/shutdown.te
--- nsaserefpolicy/policy/modules/admin/shutdown.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-04-30 16:48:20.000000000 -0400
@@ -0,0 +1,57 @@
+policy_module(shutdown,1.0.0)
+
@@ -1825,7 +1825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+#
+
+allow shutdown_t self:capability { dac_override kill setuid sys_tty_config };
-+allow shutdown_t self:process { fork signal };
++allow shutdown_t self:process { fork signal signull };
+
+allow shutdown_t self:fifo_file manage_fifo_file_perms;
+allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
@@ -8731,7 +8731,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.19/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2010-04-05 14:44:26.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/kernel/files.te 2010-04-21 10:00:10.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/kernel/files.te 2010-05-04 15:02:47.000000000 -0400
+@@ -1,4 +1,4 @@
+-
++
+ policy_module(files, 1.12.5)
+
+ ########################################
@@ -12,6 +12,7 @@
attribute mountpoint;
attribute pidfile;
@@ -9440,6 +9446,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
+ fs_type($1)
+ mls_trusted_object($1)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.19/policy/modules/kernel/storage.fc
+--- nsaserefpolicy/policy/modules/kernel/storage.fc 2010-03-05 10:46:32.000000000 -0500
++++ serefpolicy-3.7.19/policy/modules/kernel/storage.fc 2010-05-03 14:03:35.000000000 -0400
+@@ -20,6 +20,7 @@
+ /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0)
++/dev/hwcdrom -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.19/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/kernel/storage.if 2010-04-14 10:48:18.000000000 -0400
@@ -12174,8 +12191,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.19/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/aisexec.te 2010-04-14 10:48:18.000000000 -0400
-@@ -0,0 +1,115 @@
++++ serefpolicy-3.7.19/policy/modules/services/aisexec.te 2010-05-04 13:38:36.000000000 -0400
+@@ -0,0 +1,118 @@
+
+policy_module(aisexec,1.0.0)
+
@@ -12291,6 +12308,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
+ groupd_rw_semaphores(aisexec_t)
+ groupd_rw_shm(aisexec_t)
+')
++
++userdom_rw_semaphores(aisexec_t)
++userdom_rw_unpriv_user_shared_mem(aisexec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.19/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2010-04-06 15:15:38.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/services/apache.fc 2010-04-30 09:52:59.000000000 -0400
@@ -14787,7 +14807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
role_transition $2 cobblerd_initrc_exec_t system_r;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.19/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/cobbler.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/cobbler.te 2010-05-03 09:22:50.000000000 -0400
@@ -40,6 +40,7 @@
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
allow cobblerd_t self:tcp_socket create_stream_socket_perms;
@@ -14805,6 +14825,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
files_read_usr_files(cobblerd_t)
files_list_boot(cobblerd_t)
files_list_tmp(cobblerd_t)
+@@ -84,7 +87,7 @@
+ ')
+
+ optional_policy(`
+- apache_list_sys_content(cobblerd_t)
++ apache_read_sys_content(cobblerd_t)
+ ')
+
+ optional_policy(`
@@ -119,3 +122,12 @@
optional_policy(`
tftp_manage_rw_content(cobblerd_t)
@@ -16407,8 +16436,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.19/policy/modules/services/denyhosts.te
--- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/denyhosts.te 2010-04-14 10:48:18.000000000 -0400
-@@ -0,0 +1,73 @@
++++ serefpolicy-3.7.19/policy/modules/services/denyhosts.te 2010-05-04 13:25:38.000000000 -0400
+@@ -0,0 +1,74 @@
+
+policy_module(denyhosts, 1.0.0)
+
@@ -16437,7 +16466,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+#
+# DenyHosts personal policy.
+#
-+
++# Bug #588563
++allow denyhosts_t self:capability sys_tty_config;
+allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
+allow denyhosts_t self:tcp_socket create_socket_perms;
+allow denyhosts_t self:udp_socket create_socket_perms;
@@ -17140,6 +17170,81 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.7.19/policy/modules/services/exim.if
+--- nsaserefpolicy/policy/modules/services/exim.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/exim.if 2010-05-03 14:32:10.000000000 -0400
+@@ -20,6 +20,24 @@
+
+ ########################################
+ ##
++## Execute exim in the exim domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`exim_initrc_domtrans', `
++ gen_require(`
++ type exim_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, exim_initrc_exec_t)
++')
++
++########################################
++##
+ ## Do not audit attempts to read,
+ ## exim tmp files
+ ##
+@@ -194,3 +212,46 @@
+ manage_files_pattern($1, exim_spool_t, exim_spool_t)
+ files_search_spool($1)
+ ')
++
++########################################
++##
++## All of the rules required to administrate
++## an exim environment.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++#
++interface(`exim_admin', `
++ gen_require(`
++ type exim_t, exim_initrc_exec_t, exim_log_t;
++ type exim_tmp_t, exim_spool_t, exim_var_run_t;
++ ')
++
++ allow $1 exim_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, exim_t, exim_t)
++
++ exim_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 exim_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, exim_log_t)
++
++ files_search_tmp($1)
++ admin_pattern($1, exim_tmp_t)
++
++ files_search_spool($1)
++ admin_pattern($1, exim_spool_t)
++
++ files_search_pids($1)
++ admin_pattern($1, exim_var_run_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.19/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2010-03-04 11:17:25.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/services/exim.te 2010-04-30 09:53:00.000000000 -0400
@@ -18305,7 +18410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.7.19/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/hal.if 2010-04-20 08:14:46.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/hal.if 2010-05-04 15:34:12.000000000 -0400
@@ -367,7 +367,7 @@
##
#
@@ -21091,6 +21196,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.t
kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.7.19/policy/modules/services/oddjob.fc
+--- nsaserefpolicy/policy/modules/services/oddjob.fc 2009-07-28 13:28:33.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/oddjob.fc 2010-04-30 16:44:14.000000000 -0400
+@@ -1,4 +1,5 @@
+ /usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
++/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+
+ /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.19/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/services/oddjob.if 2010-04-14 10:48:18.000000000 -0400
@@ -22386,6 +22500,75 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.7.19/policy/modules/services/portreserve.if
+--- nsaserefpolicy/policy/modules/services/portreserve.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/portreserve.if 2010-05-03 14:32:10.000000000 -0400
+@@ -18,6 +18,24 @@
+ domtrans_pattern($1, portreserve_exec_t, portreserve_t)
+ ')
+
++########################################
++##
++## Execute portreserve in the portreserve domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`portreserve_initrc_domtrans', `
++ gen_require(`
++ type portreserve_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, portreserve_initrc_exec_t)
++')
++
+ #######################################
+ ##
+ ## Allow the specified domain to read
+@@ -64,3 +82,40 @@
+ manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+ read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+ ')
++
++########################################
++##
++## All of the rules required to administrate
++## an portreserve environment.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++#
++interface(`portreserve_admin', `
++ gen_require(`
++ type portreserve_t, portreserve_etc_t;
++ type portreserve_initrc_exec_t, portreserve_var_run_t;
++ ')
++
++ allow $1 portreserve_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, portreserve_t, portreserve_t)
++
++ portreserve_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 portreserve_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_etc($1)
++ admin_pattern($1, portreserve_etc_t)
++
++ files_search_pids($1)
++ admin_pattern($1, portreserve_var_run_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.19/policy/modules/services/portreserve.te
--- nsaserefpolicy/policy/modules/services/portreserve.te 2010-04-06 15:15:38.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/services/portreserve.te 2010-04-30 09:53:00.000000000 -0400
@@ -22423,7 +22606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.19/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-05-03 14:32:10.000000000 -0400
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -22492,7 +22675,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
## Allow domain to read postfix local process state
##
##
-@@ -368,6 +395,25 @@
+@@ -349,6 +376,25 @@
+ domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
+ ')
+
++
++########################################
++##
++## Execute the master postfix in the postfix master domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`postfix_initrc_domtrans', `
++ gen_require(`
++ type postfix_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, postfix_initrc_exec_t)
++')
++
+ ########################################
+ ##
+ ## Execute the master postfix program in the
+@@ -368,6 +414,25 @@
can_exec($1, postfix_master_exec_t)
')
@@ -22518,7 +22727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
##
## Create a named socket in a postfix private directory.
-@@ -378,7 +424,7 @@
+@@ -378,7 +443,7 @@
##
##
#
@@ -22527,7 +22736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
gen_require(`
type postfix_private_t;
')
-@@ -389,6 +435,25 @@
+@@ -389,6 +454,25 @@
########################################
##
@@ -22553,7 +22762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
## Execute the master postfix program in the
## postfix_master domain.
##
-@@ -418,10 +483,10 @@
+@@ -418,10 +502,10 @@
#
interface(`postfix_search_spool',`
gen_require(`
@@ -22566,21 +22775,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
files_search_spool($1)
')
-@@ -437,15 +502,34 @@
+@@ -437,11 +521,30 @@
#
interface(`postfix_list_spool',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
- ')
-
-- allow $1 postfix_spool_t:dir list_dir_perms;
++ ')
++
+ allow $1 postfix_spool_type:dir list_dir_perms;
- files_search_spool($1)
- ')
-
- ########################################
- ##
++ files_search_spool($1)
++')
++
++########################################
++##
+## Getattr postfix mail spool files.
+##
+##
@@ -22592,18 +22800,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+interface(`postfix_getattr_spool_files',`
+ gen_require(`
+ attribute postfix_spool_type;
-+ ')
-+
-+ files_search_spool($1)
+ ')
+
+- allow $1 postfix_spool_t:dir list_dir_perms;
+ files_search_spool($1)
+ getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
-+')
-+
-+########################################
-+##
- ## Read postfix mail spool files.
- ##
- ##
-@@ -456,16 +540,16 @@
+ ')
+
+ ########################################
+@@ -456,16 +559,16 @@
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -22623,7 +22828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
##
##
##
-@@ -475,11 +559,11 @@
+@@ -475,11 +578,11 @@
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -22637,7 +22842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
########################################
-@@ -500,3 +584,80 @@
+@@ -500,3 +603,156 @@
typeattribute $1 postfix_user_domtrans;
')
@@ -22718,6 +22923,82 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+ role $2 types postfix_postdrop_t;
+')
+
++########################################
++##
++## All of the rules required to administrate
++## an postfix environment.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++#
++interface(`postfix_admin', `
++ gen_require(`
++ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
++ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
++ type postfix_smtpd_t;
++
++ attribute postfix_spool_type;
++
++ type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
++ type postfix_var_run_t;
++
++ type postfix_map_tmp, postfix_prng_t, postfix_public_t;
++ ')
++
++ allow $1 postfix_bounce_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, postfix_bounce_t, postfix_bounce_t)
++
++ allow $1 postfix_cleanup_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, postfix_cleanup_t, postfix_cleanup_t)
++
++ allow $1 postfix_local_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, postfix_local_t, postfix_local_t)
++
++ allow $1 postfix_master_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, postfix_master_t, postfix_master_t)
++
++ allow $1 postfix_pickup_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, postfix_pickup_t, postfix_pickup_t)
++
++ allow $1 postfix_qmgr_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, postfix_qmgr_t, postfix_qmgr_t)
++
++ allow $1 postfix_smtpd_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, postfix_smtpd_t, postfix_smtpd_t)
++
++ postfix_run_map($1,$2)
++ postfix_run_postdrop($1,$2)
++
++ postfix_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 postfix_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ admin_pattern($1, postfix_data_t)
++
++ files_list_etc($1)
++ admin_pattern($1, postfix_etc_t)
++
++ files_search_spool($1)
++ admin_pattern($1,postfix_spool_type)
++
++ admin_pattern($1, postfix_var_run_t)
++
++ files_search_tmp($1)
++ admin_pattern($1, postfix_map_tmp)
++
++ admin_pattern($1, postfix_prng_t)
++
++ admin_pattern($1, postfix_public_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.19/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-02-12 10:33:09.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-04-30 09:53:00.000000000 -0400
@@ -23828,8 +24109,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.19/policy/modules/services/rgmanager.if
--- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.if 2010-04-14 10:48:18.000000000 -0400
-@@ -0,0 +1,98 @@
++++ serefpolicy-3.7.19/policy/modules/services/rgmanager.if 2010-05-03 14:32:10.000000000 -0400
+@@ -0,0 +1,141 @@
+## SELinux policy for rgmanager
+
+#######################################
@@ -23928,6 +24209,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+ manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
+ manage_lnk_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
+')
++
++######################################
++##
++## All of the rules required to administrate
++## an rgmanager environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed to manage the rgmanager domain.
++##
++##
++##
++#
++interface(`rgmanager_admin',`
++ gen_require(`
++ type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t;
++ type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
++ ')
++
++ allow $1 rgmanager_t:process { ptrace signal_perms };
++ read_files_pattern($1, rgmanager_t, rgmanager_t)
++
++ init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 rgmanager_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_tmp($1)
++ admin_pattern($1, rgmanager_tmp_t)
++
++ admin_pattern($1, rgmanager_tmpfs_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, rgmanager_var_log_t)
++
++ files_search_pids($1)
++ admin_pattern($1, rgmanager_var_run_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.19/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.te 2010-04-30 09:53:00.000000000 -0400
@@ -24618,8 +24942,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-04-29 14:10:35.000000000 -0400
-@@ -0,0 +1,239 @@
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-05-04 15:30:36.000000000 -0400
+@@ -0,0 +1,240 @@
+
+policy_module(rhcs,1.1.0)
+
@@ -24707,6 +25031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+kernel_read_system_state(fenced_t)
+
+corecmd_exec_bin(fenced_t)
++corecmd_exec_shell(fenced_t)
+
+corenet_tcp_connect_http_port(fenced_t)
+
@@ -24869,6 +25194,82 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
/usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0)
/usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.7.19/policy/modules/services/ricci.if
+--- nsaserefpolicy/policy/modules/services/ricci.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/ricci.if 2010-05-03 14:32:10.000000000 -0400
+@@ -18,6 +18,24 @@
+ domtrans_pattern($1, ricci_exec_t, ricci_t)
+ ')
+
++#######################################
++##
++## Execute ricci server in the ricci domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`ricci_initrc_domtrans', `
++ gen_require(`
++ type ricci_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, ricci_initrc_exec_t)
++')
++
+ ########################################
+ ##
+ ## Execute a domain transition to run ricci_modcluster.
+@@ -165,3 +183,47 @@
+
+ domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
+ ')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an ricci environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`ricci_admin',`
++ gen_require(`
++ type ricci_t, ricci_initrc_exec_t, ricci_tmp_t;
++ type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
++ ')
++
++ allow $1 ricci_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, ricci_t, ricci_t)
++
++ ricci_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 ricci_initrc_exec_t system_r;
++
++ files_search_tmp($1)
++ admin_pattern($1, ricci_tmp_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, ricci_var_lib_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, ricci_var_log_t)
++
++ files_search_pids($1)
++ admin_pattern($1, ricci_var_run_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.19/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/services/ricci.te 2010-04-30 09:53:00.000000000 -0400
@@ -25776,8 +26177,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.19/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/sendmail.if 2010-04-14 10:48:18.000000000 -0400
-@@ -277,3 +277,22 @@
++++ serefpolicy-3.7.19/policy/modules/services/sendmail.if 2010-05-03 14:32:10.000000000 -0400
+@@ -57,6 +57,24 @@
+ allow sendmail_t $1:process sigchld;
+ ')
+
++#######################################
++##
++## Execute sendmail in the sendmail domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`sendmail_initrc_domtrans', `
++ gen_require(`
++ type sendmail_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
++')
++
+ ########################################
+ ##
+ ## Execute the sendmail program in the sendmail domain.
+@@ -277,3 +295,69 @@
sendmail_domtrans_unconfined($1)
role $2 types unconfined_sendmail_t;
')
@@ -25800,6 +26226,53 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+ domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t)
+')
+
++
++########################################
++##
++## All of the rules required to administrate
++## an sendmail environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`sendmail_admin',`
++ gen_require(`
++ type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
++ type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
++ type mail_spool_t;
++ ')
++
++ allow $1 sendmail_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, sendmail_t, sendmail_t)
++
++ allow $1 unconfined_sendmail_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, unconfined_sendmail_t, unconfined_sendmail_t)
++
++ sendmail_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 sendmail_initrc_exec_t system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, sendmail_log_t)
++
++ files_search_tmp($1)
++ admin_pattern($1, sendmail_tmp_t)
++
++ files_search_pids($1)
++ admin_pattern($1, sendmail_var_run_t)
++
++ files_search_spool($1)
++ admin_pattern($1, mail_spool_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.19/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-11 09:40:36.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/services/sendmail.te 2010-04-30 09:53:00.000000000 -0400
@@ -26768,24 +27241,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.19/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.fc 2010-04-30 09:53:00.000000000 -0400
-@@ -1,5 +1,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/ssh.fc 2010-05-03 09:10:35.000000000 -0400
+@@ -1,4 +1,7 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-
-+/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
++HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
+
++/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
+
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
- /etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-@@ -14,3 +16,5 @@
+@@ -14,3 +17,6 @@
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
++/root/\.shosts gen_context(system_u:object_r:home_ssh_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.19/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-05-03 14:32:10.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -26866,9 +27340,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
- corenet_sendrecv_ssh_server_packets($1_t)
-+ # -R qualifier
+ corenet_sendrecv_ssh_server_packets($1_t)
++ # -R qualifier
+ corenet_sendrecv_ssh_server_packets($1_t)
+ # tunnel feature and -w (net_admin capability also)
+ corenet_rw_tun_tap_dev($1_t)
@@ -26925,7 +27399,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
userdom_user_home_domtrans($1_ssh_agent_t, $3)
allow $3 $1_ssh_agent_t:fd use;
allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
-@@ -696,6 +708,50 @@
+@@ -582,6 +594,25 @@
+ domtrans_pattern($1, sshd_exec_t, sshd_t)
+ ')
+
++
++########################################
++##
++## Execute sshd server in the sshd domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`ssh_initrc_domtrans',`
++ gen_require(`
++ type sshdd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, sshd_initrc_exec_t)
++')
++
+ ########################################
+ ##
+ ## Execute the ssh client in the caller domain.
+@@ -696,6 +727,50 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -26976,6 +27476,57 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
#######################################
##
## Delete from the ssh temp files.
+@@ -714,3 +789,50 @@
+ files_search_tmp($1)
+ delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
+ ')
++
++########################################
++##
++## All of the rules required to administrate
++## an sshd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`ssh_admin_server',`
++ gen_require(`
++ type sshd_t, ssh_home_t, sshd_key_t, sshd_tmp_t;
++ type sshd_tmpfs_t, sshd_var_run_t;
++ type sshd_initrc_exec_t;
++ ')
++
++ allow $1 sshd_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, sshd_t, sshd_t)
++
++ ssh_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 sshd_initrc_exec_t system_r;
++
++ userdom_search_user_home_dirs($1)
++ userdom_search_admin_dir($1)
++ admin_pattern($1,ssh_home_t)
++
++ files_search_etc($1)
++ admin_pattern($1,sshd_key_t)
++
++ files_search_tmp($1)
++ admin_pattern($1, sshd_tmp_t)
++
++ admin_pattern($1, sshd_tmpfs_t)
++
++ files_search_pids($1)
++ admin_pattern($1, sshd_var_run_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-02-18 14:06:31.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-04-30 09:53:00.000000000 -0400
@@ -28240,7 +28791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-04-28 13:07:41.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-05-04 10:22:41.000000000 -0400
@@ -36,6 +36,13 @@
##
@@ -28411,7 +28962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -250,30 +290,58 @@
+@@ -250,30 +290,60 @@
fs_manage_cifs_files(iceauth_t)
')
@@ -28456,6 +29007,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-allow xdm_t xauth_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
++
++kernel_read_system_state(xauth_t)
domain_use_interactive_fds(xauth_t)
+domain_dontaudit_leaks(xauth_t)
@@ -28473,7 +29026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
fs_search_auto_mountpoints(xauth_t)
# cjp: why?
-@@ -283,17 +351,36 @@
+@@ -283,17 +353,36 @@
userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
@@ -28510,7 +29063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -305,20 +392,31 @@
+@@ -305,20 +394,32 @@
# XDM Local policy
#
@@ -28542,10 +29095,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
+#Handle mislabeled files in homedir
+userdom_delete_user_home_content_files(xdm_t)
++userdom_signull_unpriv_users(xdm_t)
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -332,26 +430,45 @@
+@@ -332,26 +433,45 @@
manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
@@ -28596,7 +29150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -359,10 +476,13 @@
+@@ -359,10 +479,13 @@
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -28610,7 +29164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,15 +491,21 @@
+@@ -371,15 +494,21 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -28633,7 +29187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-@@ -394,11 +520,14 @@
+@@ -394,11 +523,14 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -28648,7 +29202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +535,7 @@
+@@ -406,6 +538,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -28656,7 +29210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -414,18 +544,22 @@
+@@ -414,18 +547,22 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -28682,7 +29236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -436,9 +570,17 @@
+@@ -436,9 +573,17 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -28700,7 +29254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,14 +589,19 @@
+@@ -447,14 +592,19 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -28720,7 +29274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +612,12 @@
+@@ -465,10 +615,12 @@
logging_read_generic_logs(xdm_t)
@@ -28735,7 +29289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +626,11 @@
+@@ -477,6 +629,11 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -28747,7 +29301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -509,10 +663,12 @@
+@@ -509,10 +666,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -28760,7 +29314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +676,50 @@
+@@ -520,12 +679,50 @@
')
optional_policy(`
@@ -28811,7 +29365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,20 +737,59 @@
+@@ -543,20 +740,59 @@
')
optional_policy(`
@@ -28873,7 +29427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +798,6 @@
+@@ -565,7 +801,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -28881,7 +29435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +808,10 @@
+@@ -576,6 +811,10 @@
')
optional_policy(`
@@ -28892,7 +29446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +836,9 @@
+@@ -600,10 +839,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -28904,7 +29458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +850,18 @@
+@@ -615,6 +853,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -28923,7 +29477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +881,19 @@
+@@ -634,12 +884,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -28945,7 +29499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +927,6 @@
+@@ -673,7 +930,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -28953,7 +29507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +936,12 @@
+@@ -683,9 +939,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -28967,7 +29521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +956,13 @@
+@@ -700,8 +959,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -28981,7 +29535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,11 +984,14 @@
+@@ -723,11 +987,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -28996,7 +29550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1043,24 @@
+@@ -779,12 +1046,24 @@
')
optional_policy(`
@@ -29022,7 +29576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1087,7 @@
+@@ -811,7 +1090,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -29031,7 +29585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1108,14 @@
+@@ -832,9 +1111,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -29046,7 +29600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1130,14 @@
+@@ -849,11 +1133,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -29063,7 +29617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -999,3 +1283,33 @@
+@@ -999,3 +1286,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -29433,7 +29987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.19/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2010-03-09 15:39:06.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/system/fstools.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/fstools.te 2010-04-30 13:26:42.000000000 -0400
@@ -118,6 +118,8 @@
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
@@ -29452,7 +30006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
ifdef(`distro_redhat',`
optional_policy(`
-@@ -167,6 +169,10 @@
+@@ -167,6 +169,14 @@
')
optional_policy(`
@@ -29460,6 +30014,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
+')
+
+optional_policy(`
++ livecd_rw_tmp_files(fsadm_t)
++')
++
++optional_policy(`
nis_use_ypbind(fsadm_t)
')
@@ -29763,7 +30321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-04-28 13:08:01.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-05-04 15:06:33.000000000 -0400
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart, false)
@@ -29830,7 +30388,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file manage_file_perms;
-@@ -169,6 +187,8 @@
+@@ -121,6 +139,7 @@
+ corecmd_exec_bin(init_t)
+
+ dev_read_sysfs(init_t)
++dev_rw_generic_chr_files(init_t)
+
+ domain_getpgid_all_domains(init_t)
+ domain_kill_all_domains(init_t)
+@@ -169,6 +188,8 @@
miscfiles_read_localization(init_t)
@@ -29839,7 +30405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -192,10 +212,23 @@
+@@ -192,10 +213,23 @@
')
optional_policy(`
@@ -29863,7 +30429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
nscd_socket_use(init_t)
')
-@@ -213,7 +246,7 @@
+@@ -213,7 +247,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -29872,7 +30438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -242,6 +275,7 @@
+@@ -242,6 +276,7 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -29880,7 +30446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -259,13 +293,22 @@
+@@ -259,13 +294,22 @@
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -29904,7 +30470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corenet_all_recvfrom_unlabeled(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
-@@ -299,6 +342,7 @@
+@@ -299,6 +343,7 @@
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -29912,7 +30478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_exec_all_executables(initrc_t)
-@@ -325,8 +369,10 @@
+@@ -325,8 +370,10 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -29924,7 +30490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -342,6 +388,8 @@
+@@ -342,6 +389,8 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -29933,7 +30499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
-@@ -352,6 +400,11 @@
+@@ -352,6 +401,11 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -29945,7 +30511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -364,6 +417,7 @@
+@@ -364,6 +418,7 @@
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -29953,7 +30519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
selinux_get_enforce_mode(initrc_t)
-@@ -395,15 +449,16 @@
+@@ -395,15 +450,16 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -29972,7 +30538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
userdom_use_user_terminals(initrc_t)
-@@ -471,7 +526,7 @@
+@@ -471,7 +527,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -29981,7 +30547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -517,6 +572,23 @@
+@@ -517,6 +573,23 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -30005,7 +30571,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -542,6 +614,35 @@
+@@ -528,6 +601,7 @@
+ optional_policy(`
+ sysnet_rw_dhcp_config(initrc_t)
+ sysnet_manage_config(initrc_t)
++ sysnet_delete_dhcpc_state(initrc_t)
+ ')
+
+ optional_policy(`
+@@ -542,6 +616,35 @@
')
')
@@ -30041,7 +30615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -554,6 +655,8 @@
+@@ -554,6 +657,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -30050,7 +30624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -594,6 +697,7 @@
+@@ -594,6 +699,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -30058,7 +30632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -647,11 +751,6 @@
+@@ -647,11 +753,6 @@
')
optional_policy(`
@@ -30070,7 +30644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
kerberos_use(initrc_t)
')
-@@ -690,12 +789,22 @@
+@@ -690,12 +791,22 @@
')
optional_policy(`
@@ -30093,7 +30667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -718,6 +827,10 @@
+@@ -718,6 +829,10 @@
')
optional_policy(`
@@ -30104,7 +30678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -760,8 +873,6 @@
+@@ -760,8 +875,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -30113,7 +30687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -774,10 +885,12 @@
+@@ -774,10 +887,12 @@
squid_manage_logs(initrc_t)
')
@@ -30126,7 +30700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -790,6 +903,7 @@
+@@ -790,6 +905,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -30134,7 +30708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
udev_manage_pid_files(initrc_t)
')
-@@ -798,11 +912,18 @@
+@@ -798,11 +914,18 @@
')
optional_policy(`
@@ -30154,7 +30728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -812,6 +933,25 @@
+@@ -812,6 +935,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -30180,7 +30754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -837,3 +977,34 @@
+@@ -837,3 +979,34 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -30217,7 +30791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.19/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-04-27 10:28:39.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-05-03 10:21:07.000000000 -0400
@@ -73,7 +73,7 @@
#
@@ -30227,15 +30801,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
-@@ -167,6 +167,7 @@
+@@ -167,6 +167,8 @@
miscfiles_read_localization(ipsec_t)
sysnet_domtrans_ifconfig(ipsec_t)
++sysnet_manage_config(ipsec_t)
+sysnet_etc_filetrans_config(ipsec_t)
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -186,7 +187,7 @@
+@@ -186,7 +188,7 @@
allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
dontaudit ipsec_mgmt_t self:capability sys_tty_config;
@@ -30244,7 +30819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -225,7 +226,6 @@
+@@ -225,7 +227,6 @@
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -30252,7 +30827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
-@@ -258,7 +258,7 @@
+@@ -258,7 +259,7 @@
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
@@ -30261,7 +30836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-@@ -276,7 +276,7 @@
+@@ -276,7 +277,7 @@
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -30270,17 +30845,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
-@@ -291,7 +291,9 @@
+@@ -291,7 +292,9 @@
seutil_dontaudit_search_config(ipsec_mgmt_t)
-+sysnet_read_config(ipsec_mgmt_t)
++sysnet_manage_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
+sysnet_etc_filetrans_config(ipsec_mgmt_t)
userdom_use_user_terminals(ipsec_mgmt_t)
-@@ -386,6 +388,8 @@
+@@ -386,6 +389,8 @@
sysnet_exec_ifconfig(racoon_t)
@@ -30289,7 +30864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -412,6 +416,7 @@
+@@ -412,6 +417,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
@@ -30297,7 +30872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-@@ -423,3 +428,4 @@
+@@ -423,3 +429,4 @@
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
@@ -32685,7 +33260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.19/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-03-23 10:55:15.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.if 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.if 2010-05-04 11:16:26.000000000 -0400
@@ -60,25 +60,24 @@
netutils_run(dhcpc_t, $2)
netutils_run_ping(dhcpc_t, $2)
@@ -32820,7 +33395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.19/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-03-23 10:55:15.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-04-20 08:13:32.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-05-04 15:34:19.000000000 -0400
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t, dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -32890,11 +33465,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -328,6 +346,7 @@
+@@ -328,6 +346,8 @@
optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+ hal_dontaudit_read_pid_files(ifconfig_t)
++ hal_write_log(ifconfig_t)
')
optional_policy(`
@@ -33745,7 +34321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-04-28 11:59:42.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-05-04 13:38:19.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -35218,7 +35794,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Get the attributes of a user domain tty.
##
##
-@@ -2787,7 +3085,7 @@
+@@ -2747,6 +3045,25 @@
+
+ ########################################
+ ##
++## Read/Write unpriviledged user SysV shared
++## memory segments.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_unpriv_user_shared_mem',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
++
++ allow $1 unpriv_userdomain:shm rw_shm_perms;
++')
++
++########################################
++##
+ ## Execute bin_t in the unprivileged user domains. This
+ ## is an explicit transition, requiring the
+ ## caller to use setexeccon().
+@@ -2787,7 +3104,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -35227,7 +35829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2803,11 +3101,13 @@
+@@ -2803,11 +3120,13 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -35243,7 +35845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2944,7 +3244,7 @@
+@@ -2944,7 +3263,7 @@
type user_tmp_t;
')
@@ -35252,7 +35854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2981,6 +3281,7 @@
+@@ -2981,6 +3300,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -35260,7 +35862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3111,3 +3412,664 @@
+@@ -3111,3 +3431,664 @@
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 305c7ca..779c83f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -468,10 +468,16 @@ exit 0
%endif
%changelog
+* Fri Apr 30 2010 Dan Walsh 3.7.19-11
+- Fix location of oddjob_mkhomedir
+Resolves: #587385
+- fix labeling on /root/.shosts and ~/.shosts
+- Allow ipsec_mgmt_t to manage net_conf_t
+Resolves: #586760
+
* Fri Apr 30 2010 Dan Walsh 3.7.19-10
- Dontaudit sandbox trying to connect to netlink sockets
Resolves: #587609
-- Add policy for piranha
* Thu Apr 29 2010 Dan Walsh 3.7.19-9
- Fixups for xguest policy