diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te 2009-05-22 10:14:07.000000000 -0400 @@ -38,3 +38,6 @@ miscfiles_read_localization(sandbox_t) userdom_use_user_ptys(sandbox_t) + +kernel_dontaudit_read_system_state(sandbox_t) +corecmd_exec_all_executables(sandbox_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.12/policy/modules/apps/vmware.fc --- nsaserefpolicy/policy/modules/apps/vmware.fc 2009-04-07 15:54:49.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/apps/vmware.fc 2009-05-26 08:07:56.000000000 -0400 @@ -63,6 +63,7 @@ ') /var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) +/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0) /var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-22 08:57:14.000000000 -0400 @@ -5224,6 +5224,7 @@ attribute file_type; ') + allow $1 file_type:dir search_dir_perms; allow $1 file_type:file { getattr read write append lock }; allow $1 file_type:fifo_file { getattr read write append ioctl lock }; allow $1 file_type:sock_file { getattr read write append ioctl lock }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-05-22 08:57:53.000000000 -0400 @@ -817,7 +817,7 @@ type proc_t; ') - dontaudit $1 proc_t:file { getattr read }; + dontaudit $1 proc_t:file { open getattr read }; ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-05-21 15:11:07.000000000 -0400 @@ -334,6 +334,10 @@ ') optional_policy(` + virt_stream_connect(sysadm_t) +') + +optional_policy(` yam_run(sysadm_t, sysadm_r) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-05-22 05:49:21.000000000 -0400 @@ -52,6 +52,8 @@ init_system_domain(unconfined_execmem_t, execmem_exec_t) role unconfined_r types unconfined_execmem_t; typealias execmem_exec_t alias unconfined_execmem_exec_t; +userdom_unpriv_usertype(unconfined, unconfined_execmem_t) +userdom_manage_tmpfs_role(unconfined_r, unconfined_execmem_t) type unconfined_notrans_t; type unconfined_notrans_exec_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/apache.fc 2009-05-26 09:24:52.000000000 -0400 @@ -98,4 +98,6 @@ /var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/cron.if 2009-05-26 08:38:15.000000000 -0400 @@ -163,27 +163,14 @@ # interface(`cron_unconfined_role',` gen_require(` - type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t; + type unconfined_cronjob_t; ') - role $1 types { unconfined_cronjob_t admin_crontab_t }; + role $1 types unconfined_cronjob_t; # cronjob shows up in user ps ps_process_pattern($2, unconfined_cronjob_t) - # Transition from the user domain to the derived domain. - domtrans_pattern($2, crontab_exec_t, admin_crontab_t) - - # crontab shows up in user ps - ps_process_pattern($2, admin_crontab_t) - allow $2 admin_crontab_t:process signal; - - # Run helper programs as the user domain - #corecmd_bin_domtrans(admin_crontab_t, $2) - #corecmd_shell_domtrans(admin_crontab_t, $2) - corecmd_exec_bin(admin_crontab_t) - corecmd_exec_shell(admin_crontab_t) - optional_policy(` gen_require(` class dbus send_msg; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-05-21 12:57:07.000000000 -0400 @@ -55,7 +55,7 @@ # # DeviceKit-Power local policy # -allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice }; +allow devicekit_power_t self:capability { dac_override sys_ptrace sys_tty_config sys_nice }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.12/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/pyzor.fc 2009-05-21 08:32:24.000000000 -0400 @@ -3,6 +3,8 @@ HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) +/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) +/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc 2009-05-21 08:31:58.000000000 -0400 @@ -1,3 +1,4 @@ +/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) /etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-21 12:58:18.000000000 -0400 @@ -183,6 +183,7 @@ seutil_read_default_contexts(virtd_t) term_getattr_pty_fs(virtd_t) +term_use_generic_ptys(virtd_t) term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -323,9 +324,13 @@ userdom_read_all_users_state(svirt_t) append_files_pattern(svirt_t, virt_log_t, virt_log_t) +append_files_pattern(svirt_t, virt_var_lib_t, virt_var_lib_t) allow svirt_t self:udp_socket create_socket_perms; +corecmd_exec_bin(svirt_t) +corecmd_exec_shell(svirt_t) + corenet_udp_sendrecv_generic_if(svirt_t) corenet_udp_sendrecv_generic_node(svirt_t) corenet_udp_sendrecv_all_ports(svirt_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-05-26 08:17:11.000000000 -0400 @@ -538,6 +538,7 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) +userdom_manage_user_tmp_dirs(xdm_t) userdom_manage_user_tmp_sockets(xdm_t) userdom_manage_tmpfs_role(system_r, xdm_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-05-26 08:43:32.000000000 -0400 @@ -77,6 +77,8 @@ # for SSP/ProPolice dev_read_urand($1) + # for encrypted homedir + dev_read_sysfs($1) # for fingerprint readers dev_rw_input_dev($1) dev_rw_generic_usb_dev($1) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.12/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/init.fc 2009-05-26 09:15:52.000000000 -0400 @@ -6,6 +6,8 @@ /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) /etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0) +/etc/sysconfig/network-scripts/ifup-ipsec -- gen_context(system_u:object_r:initrc_exec_t,s0) + /etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-05-26 09:17:39.000000000 -0400 @@ -348,6 +348,7 @@ files_read_etc_files(setkey_t) init_dontaudit_use_fds(setkey_t) +init_read_script_tmp_files(setkey_t) # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t)