diff --git a/modules-minimum.conf b/modules-minimum.conf index e5b8f8d..7e698e0 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -1505,6 +1505,13 @@ aide = module w3c = module # Layer: services +# Module: portreserve +# +# reserve ports to prevent portmap mapping them +# +portreserve = module + +# Layer: services # Module: rpcbind # # universal addresses to RPC program number mapper diff --git a/modules-targeted.conf b/modules-targeted.conf index e5b8f8d..7e698e0 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1505,6 +1505,13 @@ aide = module w3c = module # Layer: services +# Module: portreserve +# +# reserve ports to prevent portmap mapping them +# +portreserve = module + +# Layer: services # Module: rpcbind # # universal addresses to RPC program number mapper diff --git a/policy-20080710.patch b/policy-20080710.patch index a97727b..00a22d4 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -1,6 +1,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.5.12/Makefile --- nsaserefpolicy/Makefile 2008-08-07 11:15:00.000000000 -0400 -+++ serefpolicy-3.5.12/Makefile 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/Makefile 2008-10-14 15:00:15.000000000 -0400 @@ -311,20 +311,22 @@ # parse-rolemap modulename,outputfile @@ -47,7 +47,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak $(verbose) $(INSTALL) -m 644 $< $@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.5.12/Rules.modular --- nsaserefpolicy/Rules.modular 2008-08-07 11:15:00.000000000 -0400 -+++ serefpolicy-3.5.12/Rules.modular 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/Rules.modular 2008-10-14 15:00:15.000000000 -0400 @@ -73,8 +73,8 @@ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te @echo "Compliling $(NAME) $(@F) module" @@ -79,7 +79,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rul $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.5.12/config/appconfig-mcs/default_contexts --- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.12/config/appconfig-mcs/default_contexts 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-mcs/default_contexts 2008-10-14 15:00:15.000000000 -0400 @@ -1,15 +1,6 @@ -system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 @@ -103,13 +103,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:xdm_t:s0 user_r:user_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.5.12/config/appconfig-mcs/failsafe_context --- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.12/config/appconfig-mcs/failsafe_context 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-mcs/failsafe_context 2008-10-14 15:00:15.000000000 -0400 @@ -1 +1 @@ -sysadm_r:sysadm_t:s0 +system_r:unconfined_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.5.12/config/appconfig-mcs/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/config/appconfig-mcs/guest_u_default_contexts 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-mcs/guest_u_default_contexts 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,6 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 @@ -119,7 +119,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +guest_r:guest_t:s0 guest_r:guest_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.5.12/config/appconfig-mcs/root_default_contexts --- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.12/config/appconfig-mcs/root_default_contexts 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-mcs/root_default_contexts 2008-10-14 15:00:15.000000000 -0400 @@ -1,11 +1,7 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 @@ -136,7 +136,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.5.12/config/appconfig-mcs/staff_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.12/config/appconfig-mcs/staff_u_default_contexts 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-mcs/staff_u_default_contexts 2008-10-14 15:00:15.000000000 -0400 @@ -1,10 +1,12 @@ system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 system_r:remote_login_t:s0 staff_r:staff_t:s0 @@ -153,7 +153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.5.12/config/appconfig-mcs/unconfined_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.12/config/appconfig-mcs/unconfined_u_default_contexts 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-mcs/unconfined_u_default_contexts 2008-10-14 15:00:15.000000000 -0400 @@ -6,4 +6,6 @@ system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 @@ -163,7 +163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con system_r:xdm_t:s0 unconfined_r:unconfined_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.5.12/config/appconfig-mcs/user_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.12/config/appconfig-mcs/user_u_default_contexts 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-mcs/user_u_default_contexts 2008-10-14 15:00:15.000000000 -0400 @@ -1,8 +1,9 @@ system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 @@ -178,13 +178,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +user_r:user_t:s0 user_r:user_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.5.12/config/appconfig-mcs/userhelper_context --- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.12/config/appconfig-mcs/userhelper_context 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-mcs/userhelper_context 2008-10-14 15:00:15.000000000 -0400 @@ -1 +1 @@ -system_u:sysadm_r:sysadm_t:s0 +system_u:system_r:unconfined_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.5.12/config/appconfig-mcs/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/config/appconfig-mcs/xguest_u_default_contexts 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-mcs/xguest_u_default_contexts 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,7 @@ +system_r:local_login_t xguest_r:xguest_t:s0 +system_r:remote_login_t xguest_r:xguest_t:s0 @@ -195,7 +195,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.5.12/config/appconfig-mls/default_contexts --- nsaserefpolicy/config/appconfig-mls/default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.12/config/appconfig-mls/default_contexts 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-mls/default_contexts 2008-10-14 15:00:15.000000000 -0400 @@ -1,15 +1,6 @@ -system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 @@ -219,7 +219,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:xdm_t:s0 user_r:user_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.5.12/config/appconfig-mls/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/config/appconfig-mls/guest_u_default_contexts 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-mls/guest_u_default_contexts 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,4 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 @@ -227,7 +227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:crond_t:s0 guest_r:guest_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.5.12/config/appconfig-mls/root_default_contexts --- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.12/config/appconfig-mls/root_default_contexts 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-mls/root_default_contexts 2008-10-14 15:00:15.000000000 -0400 @@ -1,11 +1,11 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 -system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 @@ -248,7 +248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts serefpolicy-3.5.12/config/appconfig-mls/staff_u_default_contexts --- nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.12/config/appconfig-mls/staff_u_default_contexts 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-mls/staff_u_default_contexts 2008-10-14 15:00:15.000000000 -0400 @@ -1,7 +1,7 @@ system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 system_r:remote_login_t:s0 staff_r:staff_t:s0 @@ -260,7 +260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/user_u_default_contexts serefpolicy-3.5.12/config/appconfig-mls/user_u_default_contexts --- nsaserefpolicy/config/appconfig-mls/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.12/config/appconfig-mls/user_u_default_contexts 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-mls/user_u_default_contexts 2008-10-14 15:00:15.000000000 -0400 @@ -1,7 +1,7 @@ system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 @@ -272,7 +272,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con user_r:user_sudo_t:s0 user_r:user_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts serefpolicy-3.5.12/config/appconfig-mls/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/config/appconfig-mls/xguest_u_default_contexts 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-mls/xguest_u_default_contexts 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,7 @@ +system_r:local_login_t xguest_r:xguest_t:s0 +system_r:remote_login_t xguest_r:xguest_t:s0 @@ -283,7 +283,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.5.12/config/appconfig-standard/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/config/appconfig-standard/guest_u_default_contexts 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-standard/guest_u_default_contexts 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,4 @@ +system_r:local_login_t guest_r:guest_t +system_r:remote_login_t guest_r:guest_t @@ -291,7 +291,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:crond_t guest_r:guest_crond_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/root_default_contexts serefpolicy-3.5.12/config/appconfig-standard/root_default_contexts --- nsaserefpolicy/config/appconfig-standard/root_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.12/config/appconfig-standard/root_default_contexts 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-standard/root_default_contexts 2008-10-14 15:00:15.000000000 -0400 @@ -1,11 +1,7 @@ system_r:crond_t unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t @@ -307,7 +307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts serefpolicy-3.5.12/config/appconfig-standard/staff_u_default_contexts --- nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.12/config/appconfig-standard/staff_u_default_contexts 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-standard/staff_u_default_contexts 2008-10-14 15:00:15.000000000 -0400 @@ -1,7 +1,7 @@ system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t system_r:remote_login_t staff_r:staff_t @@ -319,7 +319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con staff_r:staff_sudo_t staff_r:staff_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/user_u_default_contexts serefpolicy-3.5.12/config/appconfig-standard/user_u_default_contexts --- nsaserefpolicy/config/appconfig-standard/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.12/config/appconfig-standard/user_u_default_contexts 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-standard/user_u_default_contexts 2008-10-14 15:00:15.000000000 -0400 @@ -1,7 +1,7 @@ system_r:local_login_t user_r:user_t system_r:remote_login_t user_r:user_t @@ -331,7 +331,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con user_r:user_sudo_t user_r:user_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.5.12/config/appconfig-standard/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/config/appconfig-standard/xguest_u_default_contexts 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/config/appconfig-standard/xguest_u_default_contexts 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,5 @@ +system_r:local_login_t xguest_r:xguest_t +system_r:remote_login_t xguest_r:xguest_t @@ -340,7 +340,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:xdm_t xguest_r:xguest_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.5.12/policy/flask/access_vectors --- nsaserefpolicy/policy/flask/access_vectors 2008-08-07 11:15:00.000000000 -0400 -+++ serefpolicy-3.5.12/policy/flask/access_vectors 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/flask/access_vectors 2008-10-14 15:00:15.000000000 -0400 @@ -616,6 +616,7 @@ nlmsg_write nlmsg_relay @@ -351,7 +351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol class netlink_ip6fw_socket diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.5.12/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/global_tunables 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/global_tunables 2008-10-14 15:00:15.000000000 -0400 @@ -34,7 +34,7 @@ ## @@ -392,7 +392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.5.12/policy/mls --- nsaserefpolicy/policy/mls 2008-09-24 09:07:29.000000000 -0400 -+++ serefpolicy-3.5.12/policy/mls 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/mls 2008-10-14 15:00:15.000000000 -0400 @@ -381,11 +381,18 @@ ( t1 == mlsxwinread )); @@ -413,37 +413,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # No MLS restrictions: x_drawable { show hide override } -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.5.12/policy/modules/admin/alsa.te ---- nsaserefpolicy/policy/modules/admin/alsa.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/alsa.te 2008-10-10 16:08:15.000000000 -0400 -@@ -48,9 +48,12 @@ - - files_search_home(alsa_t) - files_read_etc_files(alsa_t) -+files_read_usr_files(alsa_t) - - auth_use_nsswitch(alsa_t) - -+init_use_fds(alsa_t) -+ - libs_use_ld_so(alsa_t) - libs_use_shared_libs(alsa_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.5.12/policy/modules/admin/amanda.te ---- nsaserefpolicy/policy/modules/admin/amanda.te 2008-08-14 10:07:05.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/amanda.te 2008-10-10 16:08:15.000000000 -0400 -@@ -129,6 +129,8 @@ - corenet_tcp_bind_all_nodes(amanda_t) - corenet_udp_bind_all_nodes(amanda_t) - corenet_tcp_bind_all_rpc_ports(amanda_t) -+corenet_tcp_bind_generic_port(amanda_t) -+corenet_dontaudit_tcp_bind_all_ports(amanda_t) - - dev_getattr_all_blk_files(amanda_t) - dev_getattr_all_chr_files(amanda_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.5.12/policy/modules/admin/anaconda.te ---- nsaserefpolicy/policy/modules/admin/anaconda.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/anaconda.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/anaconda.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/admin/anaconda.te 2008-10-14 15:00:15.000000000 -0400 @@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) @@ -454,7 +426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.5.12/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/certwatch.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/admin/certwatch.te 2008-10-14 15:00:15.000000000 -0400 @@ -27,6 +27,8 @@ fs_list_inotifyfs(certwatch_t) @@ -466,7 +438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.5.12/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/consoletype.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/admin/consoletype.te 2008-10-14 15:00:15.000000000 -0400 @@ -8,9 +8,11 @@ type consoletype_t; @@ -491,8 +463,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_use_fds(consoletype_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.5.12/policy/modules/admin/kismet.te ---- nsaserefpolicy/policy/modules/admin/kismet.te 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/kismet.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/kismet.te 2008-10-14 11:58:10.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/admin/kismet.te 2008-10-14 15:00:15.000000000 -0400 @@ -28,8 +28,9 @@ allow kismet_t self:capability { net_admin net_raw setuid setgid }; allow kismet_t self:fifo_file rw_file_perms; @@ -527,7 +499,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(kismet_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.5.12/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/logwatch.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/admin/logwatch.te 2008-10-14 15:00:15.000000000 -0400 @@ -54,18 +54,19 @@ domain_read_all_domains_state(logwatch_t) @@ -557,199 +529,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.5.12/policy/modules/admin/mrtg.te ---- nsaserefpolicy/policy/modules/admin/mrtg.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/mrtg.te 2008-10-10 16:08:15.000000000 -0400 -@@ -78,6 +78,7 @@ - dev_read_urand(mrtg_t) - - domain_use_interactive_fds(mrtg_t) -+domain_dontaudit_search_all_domains_state(mrtg_t) - - files_read_usr_files(mrtg_t) - files_search_var(mrtg_t) -@@ -92,6 +93,7 @@ - - fs_search_auto_mountpoints(mrtg_t) - fs_getattr_xattr_fs(mrtg_t) -+fs_list_inotifyfs(mrtg_t) - - term_dontaudit_use_console(mrtg_t) - -@@ -101,6 +103,8 @@ - init_read_utmp(mrtg_t) - init_dontaudit_write_utmp(mrtg_t) - -+auth_use_nsswitch(mrtg_t) -+ - libs_read_lib_files(mrtg_t) - libs_use_ld_so(mrtg_t) - libs_use_shared_libs(mrtg_t) -@@ -111,12 +115,10 @@ - - selinux_dontaudit_getattr_dir(mrtg_t) - --# Use the network. --sysnet_read_config(mrtg_t) -- - userdom_dontaudit_use_unpriv_user_fds(mrtg_t) - - sysadm_use_terms(mrtg_t) -+sysadm_dontaudit_read_home_content_files(mrtg_t) - - ifdef(`enable_mls',` - corenet_udp_sendrecv_lo_if(mrtg_t) -@@ -140,14 +142,6 @@ - ') - - optional_policy(` -- nis_use_ypbind(mrtg_t) --') -- --optional_policy(` -- nscd_dontaudit_search_pid(mrtg_t) --') -- --optional_policy(` - seutil_sigchld_newrole(mrtg_t) - ') - -@@ -162,10 +156,3 @@ - optional_policy(` - udev_read_db(mrtg_t) - ') -- --ifdef(`TODO',` -- # should not need this! -- dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr }; -- dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr; -- dontaudit mrtg_t root_t:lnk_file getattr; --') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.5.12/policy/modules/admin/netutils.te ---- nsaserefpolicy/policy/modules/admin/netutils.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/netutils.te 2008-10-10 16:08:15.000000000 -0400 -@@ -50,6 +50,7 @@ - files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) - - kernel_search_proc(netutils_t) -+kernel_read_sysctl(netutils_t) - - corenet_all_recvfrom_unlabeled(netutils_t) - corenet_all_recvfrom_netlabel(netutils_t) -@@ -78,6 +79,8 @@ - init_use_fds(netutils_t) - init_use_script_ptys(netutils_t) - -+auth_use_nsswitch(netutils_t) -+ - libs_use_ld_so(netutils_t) - libs_use_shared_libs(netutils_t) - -@@ -85,8 +88,6 @@ - - miscfiles_read_localization(netutils_t) - --sysnet_read_config(netutils_t) -- - userdom_use_all_users_fds(netutils_t) - - optional_policy(` -@@ -94,6 +95,10 @@ +--- nsaserefpolicy/policy/modules/admin/netutils.te 2008-10-14 11:58:10.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/admin/netutils.te 2008-10-14 15:00:15.000000000 -0400 +@@ -149,6 +149,10 @@ ') optional_policy(` -+ vmware_append_log(netutils_t) ++ munin_append_log(ping_t) +') + +optional_policy(` - xen_append_log(netutils_t) - ') - -@@ -107,12 +112,14 @@ - allow ping_t self:tcp_socket create_socket_perms; - allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; - allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; -+allow ping_t self:netlink_route_socket create_netlink_socket_perms; - - corenet_all_recvfrom_unlabeled(ping_t) - corenet_all_recvfrom_netlabel(ping_t) - corenet_tcp_sendrecv_all_if(ping_t) - corenet_raw_sendrecv_all_if(ping_t) - corenet_raw_sendrecv_all_nodes(ping_t) -+corenet_raw_bind_all_nodes(ping_t) - corenet_tcp_sendrecv_all_nodes(ping_t) - corenet_tcp_sendrecv_all_ports(ping_t) - -@@ -123,6 +130,8 @@ - files_read_etc_files(ping_t) - files_dontaudit_search_var(ping_t) - -+auth_use_nsswitch(ping_t) -+ - libs_use_ld_so(ping_t) - libs_use_shared_libs(ping_t) - -@@ -130,9 +139,6 @@ - - miscfiles_read_localization(ping_t) - --sysnet_read_config(ping_t) --sysnet_dns_name_resolve(ping_t) -- - ifdef(`hide_broken_symptoms',` - init_dontaudit_use_fds(ping_t) - ') -@@ -143,11 +149,7 @@ - ') - - optional_policy(` -- nis_use_ypbind(ping_t) --') -- --optional_policy(` -- nscd_socket_use(ping_t) -+ munin_append_log(ping_t) + pcmcia_use_cardmgr_fds(ping_t) ') - optional_policy(` -@@ -166,7 +168,6 @@ - allow traceroute_t self:capability { net_admin net_raw setuid setgid }; - allow traceroute_t self:rawip_socket create_socket_perms; - allow traceroute_t self:packet_socket create_socket_perms; --allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; - allow traceroute_t self:udp_socket create_socket_perms; - - kernel_read_system_state(traceroute_t) -@@ -200,6 +201,8 @@ - - init_use_fds(traceroute_t) - -+auth_use_nsswitch(traceroute_t) -+ - libs_use_ld_so(traceroute_t) - libs_use_shared_libs(traceroute_t) - -@@ -212,17 +215,7 @@ - dev_read_urand(traceroute_t) - files_read_usr_files(traceroute_t) - --sysnet_read_config(traceroute_t) -- - tunable_policy(`user_ping',` - term_use_all_user_ttys(traceroute_t) - term_use_all_user_ptys(traceroute_t) - ') -- --optional_policy(` -- nis_use_ypbind(traceroute_t) --') -- --optional_policy(` -- nscd_socket_use(traceroute_t) --') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.5.12/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/prelink.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/admin/prelink.te 2008-10-14 15:00:15.000000000 -0400 @@ -26,7 +26,7 @@ # Local policy # @@ -809,7 +605,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.5.12/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/rpm.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/admin/rpm.fc 2008-10-14 15:00:15.000000000 -0400 @@ -11,7 +11,8 @@ /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -840,7 +636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_suse', ` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.5.12/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/rpm.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/admin/rpm.if 2008-10-14 15:00:15.000000000 -0400 @@ -152,6 +152,24 @@ ######################################## @@ -1148,7 +944,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.5.12/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/rpm.te 2008-10-10 17:19:04.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/admin/rpm.te 2008-10-14 15:00:15.000000000 -0400 @@ -31,6 +31,9 @@ files_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; @@ -1291,7 +1087,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol java_domtrans(rpm_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.5.12/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/su.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/admin/su.if 2008-10-14 15:00:15.000000000 -0400 @@ -41,15 +41,13 @@ allow $2 $1_su_t:process signal; @@ -1449,7 +1245,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ####################################### diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.5.12/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/sudo.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/admin/sudo.if 2008-10-14 15:00:15.000000000 -0400 @@ -55,7 +55,7 @@ # @@ -1564,7 +1360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.5.12/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/tmpreaper.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/admin/tmpreaper.te 2008-10-14 15:00:15.000000000 -0400 @@ -22,12 +22,16 @@ dev_read_urand(tmpreaper_t) @@ -1611,7 +1407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.5.12/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/usermanage.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/admin/usermanage.te 2008-10-14 15:00:15.000000000 -0400 @@ -97,6 +97,7 @@ # allow checking if a shell is executable @@ -1684,7 +1480,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.if serefpolicy-3.5.12/policy/modules/admin/vbetool.if --- nsaserefpolicy/policy/modules/admin/vbetool.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/vbetool.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/admin/vbetool.if 2008-10-14 15:00:15.000000000 -0400 @@ -18,3 +18,34 @@ corecmd_search_bin($1) domtrans_pattern($1, vbetool_exec_t, vbetool_t) @@ -1722,7 +1518,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.5.12/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/vbetool.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/admin/vbetool.te 2008-10-14 15:00:15.000000000 -0400 @@ -23,6 +23,9 @@ dev_rwx_zero(vbetool_t) dev_read_sysfs(vbetool_t) @@ -1742,41 +1538,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_exec_pid(vbetool_t) + xserver_write_pid(vbetool_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.fc serefpolicy-3.5.12/policy/modules/admin/vpn.fc ---- nsaserefpolicy/policy/modules/admin/vpn.fc 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/vpn.fc 2008-10-10 16:08:15.000000000 -0400 -@@ -6,6 +6,7 @@ - # - # /usr - # -+/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0) - /usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) - - /var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.5.12/policy/modules/admin/vpn.te ---- nsaserefpolicy/policy/modules/admin/vpn.te 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/admin/vpn.te 2008-10-10 16:08:15.000000000 -0400 -@@ -23,7 +23,7 @@ - # - - allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw }; --allow vpnc_t self:process getsched; -+allow vpnc_t self:process { getsched signal }; - allow vpnc_t self:fifo_file rw_fifo_file_perms; - allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; - allow vpnc_t self:tcp_socket create_stream_socket_perms; -@@ -44,7 +44,7 @@ - - kernel_read_system_state(vpnc_t) - kernel_read_network_state(vpnc_t) --kernel_read_kernel_sysctls(vpnc_t) -+kernel_read_all_sysctls(vpnc_t) - kernel_rw_net_sysctls(vpnc_t) - - corenet_all_recvfrom_unlabeled(vpnc_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.5.12/policy/modules/apps/ethereal.fc --- nsaserefpolicy/policy/modules/apps/ethereal.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/ethereal.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/ethereal.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,4 +1,4 @@ -HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0) +HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ethereal_home_t,s0) @@ -1785,7 +1549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.5.12/policy/modules/apps/ethereal.if --- nsaserefpolicy/policy/modules/apps/ethereal.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/ethereal.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/ethereal.if 2008-10-14 15:00:15.000000000 -0400 @@ -35,6 +35,7 @@ template(`ethereal_per_role_template',` @@ -1891,7 +1655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ####################################### diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.5.12/policy/modules/apps/ethereal.te --- nsaserefpolicy/policy/modules/apps/ethereal.te 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/ethereal.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/ethereal.te 2008-10-14 15:00:15.000000000 -0400 @@ -16,6 +16,13 @@ type tethereal_tmp_t; files_tmp_file(tethereal_tmp_t) @@ -1908,7 +1672,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Tethereal policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if serefpolicy-3.5.12/policy/modules/apps/games.if --- nsaserefpolicy/policy/modules/apps/games.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/games.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/games.if 2008-10-14 15:00:15.000000000 -0400 @@ -130,10 +130,10 @@ sysnet_read_config($1_games_t) @@ -1950,7 +1714,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.5.12/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/gnome.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/gnome.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,8 +1,10 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0) -HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0) @@ -1970,7 +1734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.5.12/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/gnome.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/gnome.if 2008-10-14 15:00:15.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` type gconfd_exec_t, gconf_etc_t; @@ -2220,7 +1984,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.5.12/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/gnome.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/gnome.te 2008-10-14 15:00:15.000000000 -0400 @@ -8,8 +8,34 @@ attribute gnomedomain; @@ -2261,7 +2025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.5.12/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/gpg.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/gpg.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,9 +1,9 @@ -HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0) +HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) @@ -2278,7 +2042,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.5.12/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/gpg.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/gpg.if 2008-10-14 15:00:15.000000000 -0400 @@ -37,6 +37,9 @@ template(`gpg_per_role_template',` gen_require(` @@ -2617,7 +2381,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.5.12/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/gpg.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/gpg.te 2008-10-14 15:00:15.000000000 -0400 @@ -15,15 +15,253 @@ gen_tunable(gpg_agent_env_file, false) @@ -2878,7 +2642,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.5.12/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/java.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/java.fc 2008-10-14 15:00:15.000000000 -0400 @@ -3,14 +3,15 @@ # /opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) @@ -2912,7 +2676,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.5.12/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/java.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/java.if 2008-10-14 15:00:15.000000000 -0400 @@ -32,7 +32,7 @@ ## ## @@ -3188,7 +2952,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.5.12/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/java.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/java.te 2008-10-14 15:00:15.000000000 -0400 @@ -6,16 +6,10 @@ # Declarations # @@ -3240,13 +3004,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.5.12/policy/modules/apps/livecd.fc --- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/apps/livecd.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/livecd.fc 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.5.12/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/apps/livecd.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/livecd.if 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,56 @@ + +## policy for livecd @@ -3306,7 +3070,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.5.12/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/apps/livecd.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/livecd.te 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,26 @@ +policy_module(livecd, 1.0.0) + @@ -3336,7 +3100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +seutil_domtrans_setfiles_mac(livecd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.5.12/policy/modules/apps/loadkeys.te --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/loadkeys.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/loadkeys.te 2008-10-14 15:00:15.000000000 -0400 @@ -32,7 +32,6 @@ term_dontaudit_use_console(loadkeys_t) term_use_unallocated_ttys(loadkeys_t) @@ -3355,7 +3119,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +sysadm_dontaudit_list_home_dirs(loadkeys_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.5.12/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/mono.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/mono.if 2008-10-14 15:00:15.000000000 -0400 @@ -21,7 +21,106 @@ ######################################## @@ -3475,7 +3239,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_search_bin($1) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.5.12/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/mono.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/mono.te 2008-10-14 15:00:15.000000000 -0400 @@ -15,7 +15,7 @@ # Local policy # @@ -3495,7 +3259,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.5.12/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/mozilla.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/mozilla.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,8 +1,8 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) @@ -3526,7 +3290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.5.12/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/mozilla.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/mozilla.if 2008-10-14 15:00:15.000000000 -0400 @@ -35,7 +35,10 @@ template(`mozilla_per_role_template',` gen_require(` @@ -4006,7 +3770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.5.12/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/mozilla.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/mozilla.te 2008-10-14 15:00:15.000000000 -0400 @@ -6,15 +6,20 @@ # Declarations # @@ -4037,7 +3801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +typealias mozilla_tmp_t alias user_mozilla_tmp_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.5.12/policy/modules/apps/mplayer.fc --- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/mplayer.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/mplayer.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,13 +1,8 @@ # -# /etc @@ -4055,7 +3819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.5.12/policy/modules/apps/mplayer.if --- nsaserefpolicy/policy/modules/apps/mplayer.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/mplayer.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/mplayer.if 2008-10-14 15:00:15.000000000 -0400 @@ -34,7 +34,8 @@ # template(`mplayer_per_role_template',` @@ -4200,7 +3964,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.5.12/policy/modules/apps/mplayer.te --- nsaserefpolicy/policy/modules/apps/mplayer.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/mplayer.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/mplayer.te 2008-10-14 15:00:15.000000000 -0400 @@ -22,3 +22,7 @@ type mplayer_exec_t; corecmd_executable_file(mplayer_exec_t) @@ -4211,7 +3975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.5.12/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/apps/nsplugin.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/nsplugin.fc 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,9 @@ + +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) @@ -4224,7 +3988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.12/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/apps/nsplugin.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/nsplugin.if 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,290 @@ + +## policy for nsplugin @@ -4518,7 +4282,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.12/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/apps/nsplugin.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/nsplugin.te 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,246 @@ + +policy_module(nsplugin, 1.0.0) @@ -4768,14 +4532,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.5.12/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/apps/openoffice.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/openoffice.fc 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,3 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.5.12/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/apps/openoffice.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/openoffice.if 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,106 @@ +## Openoffice + @@ -4885,7 +4649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.5.12/policy/modules/apps/openoffice.te --- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/apps/openoffice.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/openoffice.te 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,14 @@ + +policy_module(openoffice, 1.0.0) @@ -4903,7 +4667,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.5.12/policy/modules/apps/podsleuth.fc --- nsaserefpolicy/policy/modules/apps/podsleuth.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/podsleuth.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/podsleuth.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,2 +1,4 @@ /usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) @@ -4911,7 +4675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.5.12/policy/modules/apps/podsleuth.if --- nsaserefpolicy/policy/modules/apps/podsleuth.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/podsleuth.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/podsleuth.if 2008-10-14 15:00:15.000000000 -0400 @@ -16,4 +16,38 @@ ') @@ -4953,7 +4717,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.5.12/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/podsleuth.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/podsleuth.te 2008-10-14 15:00:15.000000000 -0400 @@ -11,24 +11,55 @@ application_domain(podsleuth_t, podsleuth_exec_t) role system_r types podsleuth_t; @@ -5014,7 +4778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_system_bus_client_template(podsleuth, podsleuth_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.5.12/policy/modules/apps/qemu.fc --- nsaserefpolicy/policy/modules/apps/qemu.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/qemu.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/qemu.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,2 +1,4 @@ /usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) @@ -5022,7 +4786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/libvirt(/.*)? -- gen_context(system_u:object_r:qemu_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.12/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/qemu.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/qemu.if 2008-10-14 15:00:15.000000000 -0400 @@ -48,6 +48,91 @@ allow qemu_t $3:chr_file rw_file_perms; ') @@ -5395,7 +5159,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.12/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/qemu.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/qemu.te 2008-10-14 15:00:15.000000000 -0400 @@ -6,6 +6,8 @@ # Declarations # @@ -5541,7 +5305,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # qemu_unconfined local policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.5.12/policy/modules/apps/screen.fc --- nsaserefpolicy/policy/modules/apps/screen.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/screen.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/screen.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,7 +1,7 @@ # # /home @@ -5553,7 +5317,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /usr diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.5.12/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/screen.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/screen.if 2008-10-14 15:00:15.000000000 -0400 @@ -35,6 +35,7 @@ template(`screen_per_role_template',` gen_require(` @@ -5608,7 +5372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls($1_screen_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.5.12/policy/modules/apps/screen.te --- nsaserefpolicy/policy/modules/apps/screen.te 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/screen.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/screen.te 2008-10-14 15:00:15.000000000 -0400 @@ -11,3 +11,7 @@ type screen_exec_t; @@ -5619,7 +5383,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.5.12/policy/modules/apps/thunderbird.fc --- nsaserefpolicy/policy/modules/apps/thunderbird.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/thunderbird.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/thunderbird.fc 2008-10-14 15:00:15.000000000 -0400 @@ -3,4 +3,4 @@ # /usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) @@ -5628,7 +5392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:user_thunderbird_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.5.12/policy/modules/apps/thunderbird.if --- nsaserefpolicy/policy/modules/apps/thunderbird.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/thunderbird.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/thunderbird.if 2008-10-14 15:00:15.000000000 -0400 @@ -43,9 +43,9 @@ application_domain($1_thunderbird_t, thunderbird_exec_t) role $3 types $1_thunderbird_t; @@ -5702,7 +5466,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ',` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.5.12/policy/modules/apps/thunderbird.te --- nsaserefpolicy/policy/modules/apps/thunderbird.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/thunderbird.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/thunderbird.te 2008-10-14 15:00:15.000000000 -0400 @@ -8,3 +8,7 @@ type thunderbird_exec_t; @@ -5713,7 +5477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.5.12/policy/modules/apps/tvtime.if --- nsaserefpolicy/policy/modules/apps/tvtime.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/tvtime.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/tvtime.if 2008-10-14 15:00:15.000000000 -0400 @@ -35,6 +35,7 @@ template(`tvtime_per_role_template',` gen_require(` @@ -5783,7 +5547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ps_process_pattern($2,$1_tvtime_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.5.12/policy/modules/apps/tvtime.te --- nsaserefpolicy/policy/modules/apps/tvtime.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/tvtime.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/tvtime.te 2008-10-14 15:00:15.000000000 -0400 @@ -11,3 +11,9 @@ type tvtime_dir_t; @@ -5796,7 +5560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_tmp_file(user_tvtime_tmp_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.5.12/policy/modules/apps/uml.fc --- nsaserefpolicy/policy/modules/apps/uml.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/uml.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/uml.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,7 +1,7 @@ # # HOME_DIR/ @@ -5808,7 +5572,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /usr diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.5.12/policy/modules/apps/vmware.fc --- nsaserefpolicy/policy/modules/apps/vmware.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/vmware.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/vmware.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,9 +1,9 @@ # # HOME_DIR/ @@ -5869,7 +5633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.5.12/policy/modules/apps/vmware.if --- nsaserefpolicy/policy/modules/apps/vmware.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/vmware.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/vmware.if 2008-10-14 15:00:15.000000000 -0400 @@ -47,11 +47,8 @@ domain_entry_file($1_vmware_t, vmware_exec_t) role $3 types $1_vmware_t; @@ -5901,7 +5665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern($1_vmware_t, $1_vmware_tmp_t, $1_vmware_tmp_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.5.12/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/vmware.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/vmware.te 2008-10-14 15:00:15.000000000 -0400 @@ -10,14 +10,14 @@ type vmware_exec_t; corecmd_executable_file(vmware_exec_t) @@ -5974,7 +5738,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.5.12/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/wine.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/wine.if 2008-10-14 15:00:15.000000000 -0400 @@ -49,3 +49,53 @@ role $2 types wine_t; allow wine_t $3:chr_file rw_term_perms; @@ -6031,7 +5795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.5.12/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/wine.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/wine.te 2008-10-14 15:00:15.000000000 -0400 @@ -9,6 +9,7 @@ type wine_t; type wine_exec_t; @@ -6060,7 +5824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshark.if serefpolicy-3.5.12/policy/modules/apps/wireshark.if --- nsaserefpolicy/policy/modules/apps/wireshark.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/apps/wireshark.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/wireshark.if 2008-10-14 15:00:15.000000000 -0400 @@ -134,7 +134,7 @@ sysnet_read_config($1_wireshark_t) @@ -6072,14 +5836,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_manage_nfs_dirs($1_wireshark_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.fc serefpolicy-3.5.12/policy/modules/apps/wm.fc --- nsaserefpolicy/policy/modules/apps/wm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/apps/wm.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/wm.fc 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,3 @@ +/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.5.12/policy/modules/apps/wm.if --- nsaserefpolicy/policy/modules/apps/wm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/apps/wm.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/wm.if 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,178 @@ +## Window Manager. + @@ -6261,7 +6025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.5.12/policy/modules/apps/wm.te --- nsaserefpolicy/policy/modules/apps/wm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/apps/wm.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/apps/wm.te 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,10 @@ +policy_module(wm,0.0.4) + @@ -6275,7 +6039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +wm_domain_template(user,xdm) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.12/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/corecommands.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/corecommands.fc 2008-10-14 15:00:15.000000000 -0400 @@ -129,6 +129,8 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -6315,7 +6079,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.5.12/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/corecommands.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/corecommands.if 2008-10-14 15:00:15.000000000 -0400 @@ -894,6 +894,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -6325,8 +6089,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.12/policy/modules/kernel/corenetwork.te.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/corenetwork.te.in 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/corenetwork.te.in 2008-10-14 15:00:15.000000000 -0400 @@ -93,6 +93,7 @@ network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) @@ -6398,7 +6162,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(xen, tcp,8002,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.5.12/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-10-08 21:42:58.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/devices.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/devices.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,7 +1,7 @@ /dev -d gen_context(system_u:object_r:device_t,s0) @@ -6520,7 +6284,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.12/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2008-10-08 21:42:58.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/devices.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/devices.if 2008-10-14 15:00:15.000000000 -0400 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1, device_t, device_node) @@ -6530,32 +6294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol relabelfrom_fifo_files_pattern($1, device_t, device_node) relabelfrom_sock_files_pattern($1, device_t, device_node) relabel_blk_files_pattern($1,device_t,{ device_t device_node }) -@@ -148,6 +148,24 @@ - - ######################################## - ## -+## Del entries to directories in /dev. -+## -+## -+## -+## Domain allowed to add entries. -+## -+## -+# -+interface(`dev_del_entry_generic_dirs',` -+ gen_require(` -+ type device_t; -+ ') -+ -+ allow $1 device_t:dir del_entry_dir_perms; -+') -+ -+######################################## -+## - ## Create a directory in the device directory. - ## - ## -@@ -167,6 +185,25 @@ +@@ -167,6 +167,25 @@ ######################################## ## @@ -6581,7 +6320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Delete a directory in the device directory. ## ## -@@ -667,6 +704,7 @@ +@@ -667,6 +686,7 @@ ') dontaudit $1 device_node:blk_file getattr; @@ -6589,7 +6328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -704,6 +742,7 @@ +@@ -704,6 +724,7 @@ ') dontaudit $1 device_node:chr_file getattr; @@ -6597,7 +6336,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1160,6 +1199,25 @@ +@@ -1160,6 +1181,25 @@ ######################################## ## @@ -6623,7 +6362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read the CPU identity. ## ## -@@ -1958,6 +2016,42 @@ +@@ -1958,6 +1998,42 @@ ######################################## ## @@ -6666,7 +6405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write to the null device (/dev/null). ## ## -@@ -2769,6 +2863,24 @@ +@@ -2769,6 +2845,24 @@ ######################################## ## @@ -6691,7 +6430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write generic the USB devices. ## ## -@@ -2787,6 +2899,97 @@ +@@ -2787,6 +2881,97 @@ ######################################## ## @@ -6789,7 +6528,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Mount a usbfs filesystem. ## ## -@@ -3322,3 +3525,223 @@ +@@ -3322,3 +3507,223 @@ typeattribute $1 devices_unconfined_type; ') @@ -7015,7 +6754,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.5.12/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2008-10-08 21:42:58.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/devices.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/devices.te 2008-10-14 15:00:15.000000000 -0400 @@ -32,6 +32,12 @@ type apm_bios_t; dev_node(apm_bios_t) @@ -7083,7 +6822,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type power_device_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.5.12/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/domain.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/domain.if 2008-10-14 15:00:15.000000000 -0400 @@ -1247,18 +1247,34 @@ ## ## @@ -7124,7 +6863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## all protocols (TCP, UDP, etc) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.12/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/domain.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/domain.te 2008-10-14 15:00:15.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations @@ -7208,7 +6947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +dontaudit can_change_object_identity can_change_object_identity:key link; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.5.12/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/files.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/files.fc 2008-10-14 15:00:15.000000000 -0400 @@ -32,6 +32,7 @@ /boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /boot/lost\+found/.* <> @@ -7227,7 +6966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.12/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/files.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/files.if 2008-10-14 15:00:15.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -7564,8 +7303,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1,var_run_t,var_run_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.5.12/policy/modules/kernel/files.te ---- nsaserefpolicy/policy/modules/kernel/files.te 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/files.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/files.te 2008-10-14 11:58:07.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/files.te 2008-10-14 15:00:15.000000000 -0400 @@ -52,11 +52,14 @@ # # etc_t is the type of the system etc directories. @@ -7604,7 +7343,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.12/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/filesystem.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/filesystem.if 2008-10-14 15:00:15.000000000 -0400 @@ -535,6 +535,24 @@ ######################################## @@ -8038,8 +7777,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dontaudit $1 fusefs_t:file manage_file_perms; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.12/policy/modules/kernel/filesystem.te ---- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/filesystem.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-10-14 11:58:07.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/filesystem.te 2008-10-14 15:00:15.000000000 -0400 @@ -21,7 +21,6 @@ # Use xattrs for the following filesystem types. @@ -8078,7 +7817,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.12/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/kernel.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/kernel.if 2008-10-14 15:00:15.000000000 -0400 @@ -1198,6 +1198,7 @@ ') @@ -8134,7 +7873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.5.12/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/kernel.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/kernel.te 2008-10-14 15:00:15.000000000 -0400 @@ -63,6 +63,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -8170,7 +7909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_default_files(kernel_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.5.12/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/selinux.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/selinux.if 2008-10-14 15:00:15.000000000 -0400 @@ -164,6 +164,7 @@ type security_t; ') @@ -8262,8 +8001,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + mls_trusted_object($1) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.5.12/policy/modules/kernel/selinux.te ---- nsaserefpolicy/policy/modules/kernel/selinux.te 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/selinux.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/selinux.te 2008-10-14 11:58:07.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/selinux.te 2008-10-14 15:00:15.000000000 -0400 @@ -10,6 +10,7 @@ attribute can_setenforce; attribute can_setsecparam; @@ -8286,7 +8025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.5.12/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/kernel/terminal.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/kernel/terminal.if 2008-10-14 15:00:15.000000000 -0400 @@ -250,9 +250,11 @@ interface(`term_dontaudit_use_console',` gen_require(` @@ -8301,12 +8040,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.12/policy/modules/roles/guest.fc --- nsaserefpolicy/policy/modules/roles/guest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/roles/guest.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/roles/guest.fc 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1 @@ +# file contexts handled by userdomain and genhomedircon diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.if serefpolicy-3.5.12/policy/modules/roles/guest.if --- nsaserefpolicy/policy/modules/roles/guest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/roles/guest.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/roles/guest.if 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,161 @@ +## Least privledge terminal user role + @@ -8471,7 +8210,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.5.12/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/roles/guest.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/roles/guest.te 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,35 @@ + +policy_module(guest, 1.0.0) @@ -8510,12 +8249,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.5.12/policy/modules/roles/logadm.fc --- nsaserefpolicy/policy/modules/roles/logadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/roles/logadm.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/roles/logadm.fc 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1 @@ +# file contexts handled by userdomain and genhomedircon diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.if serefpolicy-3.5.12/policy/modules/roles/logadm.if --- nsaserefpolicy/policy/modules/roles/logadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/roles/logadm.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/roles/logadm.if 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,44 @@ +## Audit administrator role + @@ -8563,7 +8302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.te serefpolicy-3.5.12/policy/modules/roles/logadm.te --- nsaserefpolicy/policy/modules/roles/logadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/roles/logadm.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/roles/logadm.te 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,20 @@ + +policy_module(logadm, 1.0.0) @@ -8587,7 +8326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t }) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.12/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/roles/staff.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/roles/staff.te 2008-10-14 15:00:15.000000000 -0400 @@ -8,23 +8,55 @@ role staff_r; @@ -8647,7 +8386,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.12/policy/modules/roles/sysadm.if --- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/roles/sysadm.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/roles/sysadm.if 2008-10-14 15:00:15.000000000 -0400 @@ -334,10 +334,10 @@ # interface(`sysadm_getattr_home_dirs',` @@ -8828,7 +8567,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.5.12/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/roles/sysadm.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/roles/sysadm.te 2008-10-14 15:00:15.000000000 -0400 @@ -171,6 +171,10 @@ ') @@ -8842,7 +8581,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.5.12/policy/modules/roles/unprivuser.if --- nsaserefpolicy/policy/modules/roles/unprivuser.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/roles/unprivuser.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/roles/unprivuser.if 2008-10-14 15:00:15.000000000 -0400 @@ -62,6 +62,26 @@ files_home_filetrans($1, user_home_dir_t, dir) ') @@ -9487,8 +9226,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.5.12/policy/modules/roles/unprivuser.te ---- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/roles/unprivuser.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/roles/unprivuser.te 2008-10-14 15:00:15.000000000 -0400 @@ -13,3 +13,19 @@ userdom_unpriv_user_template(user) @@ -9511,12 +9250,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.fc serefpolicy-3.5.12/policy/modules/roles/webadm.fc --- nsaserefpolicy/policy/modules/roles/webadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/roles/webadm.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/roles/webadm.fc 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1 @@ +# No webadm file contexts. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.if serefpolicy-3.5.12/policy/modules/roles/webadm.if --- nsaserefpolicy/policy/modules/roles/webadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/roles/webadm.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/roles/webadm.if 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,44 @@ +## Policy for webadm role + @@ -9564,7 +9303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.5.12/policy/modules/roles/webadm.te --- nsaserefpolicy/policy/modules/roles/webadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/roles/webadm.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/roles/webadm.te 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,65 @@ + +policy_module(webadm, 1.0.0) @@ -9633,12 +9372,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.fc serefpolicy-3.5.12/policy/modules/roles/xguest.fc --- nsaserefpolicy/policy/modules/roles/xguest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/roles/xguest.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/roles/xguest.fc 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1 @@ +# file contexts handled by userdomain and genhomedircon diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.if serefpolicy-3.5.12/policy/modules/roles/xguest.if --- nsaserefpolicy/policy/modules/roles/xguest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/roles/xguest.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/roles/xguest.if 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,161 @@ +## Least privledge X Windows user role + @@ -9803,7 +9542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.5.12/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/roles/xguest.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/roles/xguest.te 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,82 @@ + +policy_module(xguest, 1.0.0) @@ -9889,7 +9628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.if serefpolicy-3.5.12/policy/modules/services/aide.if --- nsaserefpolicy/policy/modules/services/aide.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/aide.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/aide.if 2008-10-14 15:00:15.000000000 -0400 @@ -70,9 +70,11 @@ allow $1 aide_t:process { ptrace signal_perms }; ps_process_pattern($1, aide_t) @@ -9906,7 +9645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.5.12/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2008-10-03 11:12:14.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/apache.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/apache.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,12 +1,13 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -9990,7 +9729,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.5.12/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/apache.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/apache.if 2008-10-14 15:00:15.000000000 -0400 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -10642,8 +10381,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + typeattribute $1 httpd_rw_content; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.12/policy/modules/services/apache.te ---- nsaserefpolicy/policy/modules/services/apache.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/apache.te 2008-10-10 16:26:16.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/apache.te 2008-10-14 15:00:15.000000000 -0400 @@ -20,6 +20,8 @@ # Declarations # @@ -11284,7 +11023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.fc serefpolicy-3.5.12/policy/modules/services/arpwatch.fc --- nsaserefpolicy/policy/modules/services/arpwatch.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/arpwatch.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/arpwatch.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0) @@ -11292,7 +11031,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /usr diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.if serefpolicy-3.5.12/policy/modules/services/arpwatch.if --- nsaserefpolicy/policy/modules/services/arpwatch.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/arpwatch.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/arpwatch.if 2008-10-14 15:00:15.000000000 -0400 @@ -90,3 +90,45 @@ dontaudit $1 arpwatch_t:packet_socket { read write }; @@ -11341,7 +11080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.5.12/policy/modules/services/arpwatch.te --- nsaserefpolicy/policy/modules/services/arpwatch.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/arpwatch.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/arpwatch.te 2008-10-14 15:00:15.000000000 -0400 @@ -13,6 +13,9 @@ type arpwatch_data_t; files_type(arpwatch_data_t) @@ -11354,7 +11093,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.fc serefpolicy-3.5.12/policy/modules/services/asterisk.fc --- nsaserefpolicy/policy/modules/services/asterisk.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/asterisk.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/asterisk.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,4 +1,5 @@ /etc/asterisk(/.*)? gen_context(system_u:object_r:asterisk_etc_t,s0) +/etc/rc\.d/init\.d/asterisk -- gen_context(system_u:object_r:asterisk_initrc_exec_t,s0) @@ -11363,7 +11102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.5.12/policy/modules/services/asterisk.if --- nsaserefpolicy/policy/modules/services/asterisk.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/asterisk.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/asterisk.if 2008-10-14 15:00:15.000000000 -0400 @@ -1 +1,54 @@ ## Asterisk IP telephony server + @@ -11421,7 +11160,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.5.12/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/asterisk.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/asterisk.te 2008-10-14 15:00:15.000000000 -0400 @@ -13,6 +13,9 @@ type asterisk_etc_t; files_config_file(asterisk_etc_t) @@ -11434,7 +11173,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.fc serefpolicy-3.5.12/policy/modules/services/audioentropy.fc --- nsaserefpolicy/policy/modules/services/audioentropy.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/audioentropy.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/audioentropy.fc 2008-10-14 15:00:15.000000000 -0400 @@ -2,3 +2,5 @@ # /usr # @@ -11443,7 +11182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.5.12/policy/modules/services/audioentropy.te --- nsaserefpolicy/policy/modules/services/audioentropy.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/audioentropy.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/audioentropy.te 2008-10-14 15:00:15.000000000 -0400 @@ -35,6 +35,7 @@ dev_read_rand(entropyd_t) dev_write_rand(entropyd_t) @@ -11453,8 +11192,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(entropyd_t) fs_search_auto_mountpoints(entropyd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.5.12/policy/modules/services/automount.te ---- nsaserefpolicy/policy/modules/services/automount.te 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/automount.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/automount.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/automount.te 2008-10-14 15:00:15.000000000 -0400 @@ -71,6 +71,7 @@ files_mounton_all_mountpoints(automount_t) files_mount_all_file_type_fs(automount_t) @@ -11482,7 +11221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.5.12/policy/modules/services/avahi.fc --- nsaserefpolicy/policy/modules/services/avahi.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/avahi.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/avahi.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,5 +1,9 @@ +/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0) @@ -11495,7 +11234,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.5.12/policy/modules/services/avahi.if --- nsaserefpolicy/policy/modules/services/avahi.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/avahi.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/avahi.if 2008-10-14 15:00:15.000000000 -0400 @@ -2,6 +2,84 @@ ######################################## @@ -11622,7 +11361,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.5.12/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/avahi.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/avahi.te 2008-10-14 15:00:15.000000000 -0400 @@ -10,6 +10,12 @@ type avahi_exec_t; init_daemon_domain(avahi_t, avahi_exec_t) @@ -11674,7 +11413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.5.12/policy/modules/services/bind.fc --- nsaserefpolicy/policy/modules/services/bind.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/bind.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/bind.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,4 +1,4 @@ -/etc/rc.d/init.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) @@ -11682,8 +11421,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.5.12/policy/modules/services/bind.if ---- nsaserefpolicy/policy/modules/services/bind.if 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/bind.if 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/bind.if 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/bind.if 2008-10-14 15:00:15.000000000 -0400 @@ -257,6 +257,25 @@ ######################################## @@ -11710,15 +11449,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an bind environment ## -@@ -265,11 +284,20 @@ - ## Domain allowed access. - ## +@@ -267,19 +286,18 @@ ## -+## -+## + ## + ## +-## Role allowed access. +-## +-## +-## +-## +-## The type of the terminal. +## The role to be allowed to manage the bind domain. -+## -+## + ## + ## ## # interface(`bind_admin',` @@ -11732,7 +11475,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') allow $1 named_t:process { ptrace signal_perms }; -@@ -279,4 +307,28 @@ +@@ -289,4 +307,28 @@ ps_process_pattern($1, ndc_t) bind_run_ndc($1, $2, $3) @@ -11762,8 +11505,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, named_var_run_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.5.12/policy/modules/services/bind.te ---- nsaserefpolicy/policy/modules/services/bind.te 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/bind.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/bind.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/bind.te 2008-10-14 15:00:15.000000000 -0400 @@ -249,6 +249,8 @@ sysnet_read_config(ndc_t) sysnet_dns_name_resolve(ndc_t) @@ -11773,28 +11516,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for /etc/rndc.key ifdef(`distro_redhat',` allow ndc_t named_conf_t:dir search; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.5.12/policy/modules/services/bitlbee.te ---- nsaserefpolicy/policy/modules/services/bitlbee.te 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/bitlbee.te 2008-10-10 16:08:15.000000000 -0400 -@@ -1,5 +1,5 @@ - --policy_module(bitlbee, 1.0.2) -+policy_module(bitlbee, 1.0.1) - - ######################################## - # -@@ -65,7 +65,7 @@ - # and to MSNP (MSN Messenger) servers: - corenet_tcp_connect_msnp_port(bitlbee_t) - corenet_tcp_sendrecv_msnp_port(bitlbee_t) --# MSN can use passport auth, which is over http: -+ - corenet_tcp_connect_http_port(bitlbee_t) - corenet_tcp_sendrecv_http_port(bitlbee_t) - diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.5.12/policy/modules/services/bluetooth.fc --- nsaserefpolicy/policy/modules/services/bluetooth.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/bluetooth.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/bluetooth.fc 2008-10-14 15:00:15.000000000 -0400 @@ -3,6 +3,9 @@ # /etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0) @@ -11812,7 +11536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.5.12/policy/modules/services/bluetooth.if --- nsaserefpolicy/policy/modules/services/bluetooth.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/bluetooth.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/bluetooth.if 2008-10-14 15:00:15.000000000 -0400 @@ -226,3 +226,56 @@ dontaudit $1 bluetooth_helper_domain:dir search; dontaudit $1 bluetooth_helper_domain:file { read getattr }; @@ -11872,7 +11596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.5.12/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/bluetooth.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/bluetooth.te 2008-10-14 15:00:15.000000000 -0400 @@ -20,6 +20,9 @@ type bluetooth_helper_exec_t; application_executable_file(bluetooth_helper_exec_t) @@ -11949,7 +11673,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.5.12/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/clamav.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/clamav.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,20 +1,22 @@ /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) +/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) @@ -11980,7 +11704,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.5.12/policy/modules/services/clamav.if --- nsaserefpolicy/policy/modules/services/clamav.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/clamav.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/clamav.if 2008-10-14 15:00:15.000000000 -0400 @@ -38,6 +38,27 @@ ######################################## @@ -12099,7 +11823,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.5.12/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/clamav.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/clamav.te 2008-10-14 15:00:15.000000000 -0400 @@ -13,7 +13,10 @@ # configuration files @@ -12191,7 +11915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.5.12/policy/modules/services/consolekit.fc --- nsaserefpolicy/policy/modules/services/consolekit.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/consolekit.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/consolekit.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,3 +1,6 @@ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) @@ -12201,7 +11925,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.5.12/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/consolekit.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/consolekit.if 2008-10-14 15:00:15.000000000 -0400 @@ -38,3 +38,24 @@ allow $1 consolekit_t:dbus send_msg; allow consolekit_t $1:dbus send_msg; @@ -12229,7 +11953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.5.12/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/consolekit.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/consolekit.te 2008-10-14 15:00:15.000000000 -0400 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -12345,7 +12069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.fc serefpolicy-3.5.12/policy/modules/services/courier.fc --- nsaserefpolicy/policy/modules/services/courier.fc 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/courier.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/courier.fc 2008-10-14 15:00:15.000000000 -0400 @@ -19,5 +19,5 @@ /var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0) @@ -12354,8 +12078,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) +/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.5.12/policy/modules/services/courier.te ---- nsaserefpolicy/policy/modules/services/courier.te 2008-09-12 10:48:05.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/courier.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/courier.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/courier.te 2008-10-14 15:00:15.000000000 -0400 @@ -10,6 +10,7 @@ type courier_etc_t; @@ -12376,7 +12100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Calendar (PCP) local policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.5.12/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/cron.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/cron.fc 2008-10-14 15:00:15.000000000 -0400 @@ -17,6 +17,8 @@ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -12395,7 +12119,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.12/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/cron.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/cron.if 2008-10-14 15:00:15.000000000 -0400 @@ -35,39 +35,24 @@ # template(`cron_per_role_template',` @@ -12747,7 +12471,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.5.12/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/cron.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/cron.te 2008-10-14 15:00:15.000000000 -0400 @@ -12,14 +12,6 @@ ## @@ -13021,7 +12745,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.12/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/cups.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/cups.fc 2008-10-14 15:00:15.000000000 -0400 @@ -8,24 +8,33 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -13090,7 +12814,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.5.12/policy/modules/services/cups.if --- nsaserefpolicy/policy/modules/services/cups.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/cups.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/cups.if 2008-10-14 15:00:15.000000000 -0400 @@ -20,6 +20,30 @@ ######################################## @@ -13217,8 +12941,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.12/policy/modules/services/cups.te ---- nsaserefpolicy/policy/modules/services/cups.te 2008-09-03 07:59:15.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/cups.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cups.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/cups.te 2008-10-14 15:00:15.000000000 -0400 @@ -20,6 +20,12 @@ type cupsd_etc_t; files_config_file(cupsd_etc_t) @@ -13609,139 +13333,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +sysadm_dontaudit_read_home_content_files(cups_pdf_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.fc serefpolicy-3.5.12/policy/modules/services/cvs.fc ---- nsaserefpolicy/policy/modules/services/cvs.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/cvs.fc 2008-10-10 16:08:15.000000000 -0400 -@@ -5,3 +5,6 @@ - - /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) - -+#CVSWeb file context -+/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) -+/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.5.12/policy/modules/services/cvs.if ---- nsaserefpolicy/policy/modules/services/cvs.if 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/cvs.if 2008-10-10 16:08:15.000000000 -0400 -@@ -69,4 +69,13 @@ - domain_system_change_exemption($1) - role_transition $2 cvs_initrc_exec_t system_r; - allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, cvs_tmp_t) -+ -+ admin_pattern($1, cvs_data_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, cvs_var_run_t) - ') -+ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.5.12/policy/modules/services/cvs.te ---- nsaserefpolicy/policy/modules/services/cvs.te 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/cvs.te 2008-10-10 16:08:15.000000000 -0400 -@@ -99,7 +99,17 @@ - ') - - optional_policy(` -- kerberos_read_keytab(cvs_t) -+ kerberos_keytab_template(cvs, cvs_t) - kerberos_read_config(cvs_t) - kerberos_dontaudit_write_config(cvs_t) - ') -+ -+######################################## -+# CVSWeb policy -+ -+apache_content_template(cvs) -+ -+read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) -+manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) -+manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) -+files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.fc serefpolicy-3.5.12/policy/modules/services/cyrus.fc ---- nsaserefpolicy/policy/modules/services/cyrus.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/cyrus.fc 2008-10-10 16:08:15.000000000 -0400 -@@ -1,3 +1,4 @@ -+/etc/rc\.d/init\.d/cyrus -- gen_context(system_u:object_r:cyrus_initrc_exec_t,s0) - - /usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.if serefpolicy-3.5.12/policy/modules/services/cyrus.if ---- nsaserefpolicy/policy/modules/services/cyrus.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/cyrus.if 2008-10-10 16:08:15.000000000 -0400 -@@ -39,3 +39,47 @@ - files_search_var_lib($1) - stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t) - ') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an cyrus environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the cyrus domain. -+## -+## -+## -+# -+interface(`cyrus_admin',` -+ gen_require(` -+ type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t; -+ type cyrus_var_run_t; -+ type cyrus_initrc_exec_t; -+ ') -+ -+ allow $1 cyrus_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, cyrus_t) -+ -+ init_labeled_script_domtrans($1, cyrus_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 cyrus_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, cyrus_tmp_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, cyrus_var_lib_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, cyrus_var_run_t) -+') -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.5.12/policy/modules/services/cyrus.te ---- nsaserefpolicy/policy/modules/services/cyrus.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/cyrus.te 2008-10-10 16:08:15.000000000 -0400 -@@ -10,6 +10,9 @@ - type cyrus_exec_t; - init_daemon_domain(cyrus_t, cyrus_exec_t) - -+type cyrus_initrc_exec_t; -+init_script_file(cyrus_initrc_exec_t) -+ - type cyrus_tmp_t; - files_tmp_file(cyrus_tmp_t) - -@@ -120,7 +123,7 @@ - ') - - optional_policy(` -- kerberos_use(cyrus_t) -+ kerberos_keytab_template(cyrus, cyrus_t) +--- nsaserefpolicy/policy/modules/services/cvs.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/cvs.te 2008-10-14 15:01:34.000000000 -0400 +@@ -115,4 +115,5 @@ + read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) + manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) ++ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') - - optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.12/policy/modules/services/dbus.fc --- nsaserefpolicy/policy/modules/services/dbus.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/dbus.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/dbus.fc 2008-10-14 15:00:15.000000000 -0400 @@ -4,6 +4,9 @@ /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) /bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) @@ -13754,7 +13357,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.12/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/dbus.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/dbus.if 2008-10-14 15:00:15.000000000 -0400 @@ -53,6 +53,7 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; @@ -14055,7 +13658,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.12/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/dbus.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/dbus.te 2008-10-14 15:00:15.000000000 -0400 @@ -9,9 +9,10 @@ # # Delcarations @@ -14179,7 +13782,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.5.12/policy/modules/services/dcc.if --- nsaserefpolicy/policy/modules/services/dcc.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/dcc.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/dcc.if 2008-10-14 15:00:15.000000000 -0400 @@ -72,6 +72,24 @@ ######################################## @@ -14207,7 +13810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.5.12/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/dcc.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/dcc.te 2008-10-14 15:00:15.000000000 -0400 @@ -105,6 +105,8 @@ files_read_etc_files(cdcc_t) files_read_etc_runtime_files(cdcc_t) @@ -14379,7 +13982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.fc serefpolicy-3.5.12/policy/modules/services/dhcp.fc --- nsaserefpolicy/policy/modules/services/dhcp.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/dhcp.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/dhcp.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) @@ -14387,7 +13990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.5.12/policy/modules/services/dhcp.if --- nsaserefpolicy/policy/modules/services/dhcp.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/dhcp.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/dhcp.if 2008-10-14 15:00:15.000000000 -0400 @@ -19,3 +19,63 @@ sysnet_search_dhcp_state($1) allow $1 dhcpd_state_t:file setattr; @@ -14454,7 +14057,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.5.12/policy/modules/services/dhcp.te --- nsaserefpolicy/policy/modules/services/dhcp.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/dhcp.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/dhcp.te 2008-10-14 15:00:15.000000000 -0400 @@ -10,6 +10,9 @@ type dhcpd_exec_t; init_daemon_domain(dhcpd_t, dhcpd_exec_t) @@ -14522,7 +14125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.5.12/policy/modules/services/dnsmasq.fc --- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/dnsmasq.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/dnsmasq.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,4 +1,7 @@ +/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) + @@ -14533,7 +14136,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.5.12/policy/modules/services/dnsmasq.if --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/dnsmasq.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/dnsmasq.if 2008-10-14 15:00:15.000000000 -0400 @@ -1 +1,117 @@ ## dnsmasq DNS forwarder and DHCP server + @@ -14654,7 +14257,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.5.12/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/dnsmasq.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/dnsmasq.te 2008-10-14 15:00:15.000000000 -0400 @@ -10,6 +10,9 @@ type dnsmasq_exec_t; init_daemon_domain(dnsmasq_t, dnsmasq_exec_t) @@ -14703,7 +14306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.5.12/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/dovecot.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/dovecot.fc 2008-10-14 15:00:15.000000000 -0400 @@ -6,6 +6,7 @@ /etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) @@ -14743,7 +14346,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.5.12/policy/modules/services/dovecot.if --- nsaserefpolicy/policy/modules/services/dovecot.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/dovecot.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/dovecot.if 2008-10-14 15:00:15.000000000 -0400 @@ -21,7 +21,46 @@ ######################################## @@ -14855,7 +14458,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.5.12/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/dovecot.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/dovecot.te 2008-10-14 15:00:15.000000000 -0400 @@ -15,12 +15,21 @@ domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) role system_r types dovecot_auth_t; @@ -15027,7 +14630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.5.12/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/exim.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/exim.if 2008-10-14 15:00:15.000000000 -0400 @@ -97,6 +97,26 @@ ######################################## @@ -15081,7 +14684,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.5.12/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/exim.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/exim.te 2008-10-14 15:00:15.000000000 -0400 @@ -21,9 +21,20 @@ ## gen_tunable(exim_manage_user_files, false) @@ -15251,7 +14854,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.if serefpolicy-3.5.12/policy/modules/services/fetchmail.if --- nsaserefpolicy/policy/modules/services/fetchmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/fetchmail.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/fetchmail.if 2008-10-14 15:00:15.000000000 -0400 @@ -21,10 +21,10 @@ ps_process_pattern($1, fetchmail_t) @@ -15267,8 +14870,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, fetchmail_var_run_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.5.12/policy/modules/services/fetchmail.te ---- nsaserefpolicy/policy/modules/services/fetchmail.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/fetchmail.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/fetchmail.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/fetchmail.te 2008-10-14 15:00:15.000000000 -0400 @@ -91,6 +91,10 @@ ') @@ -15281,8 +14884,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.5.12/policy/modules/services/ftp.te ---- nsaserefpolicy/policy/modules/services/ftp.te 2008-10-08 19:00:26.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/ftp.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ftp.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/ftp.te 2008-10-14 15:00:15.000000000 -0400 @@ -226,6 +226,11 @@ userdom_manage_all_users_home_content_dirs(ftpd_t) userdom_manage_all_users_home_content_files(ftpd_t) @@ -15323,13 +14926,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.fc serefpolicy-3.5.12/policy/modules/services/gamin.fc --- nsaserefpolicy/policy/modules/services/gamin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/services/gamin.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/gamin.fc 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/libexec/gam_server -- gen_context(system_u:object_r:gamin_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.5.12/policy/modules/services/gamin.if --- nsaserefpolicy/policy/modules/services/gamin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/services/gamin.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/gamin.if 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,57 @@ + +## policy for gamin @@ -15390,7 +14993,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.5.12/policy/modules/services/gamin.te --- nsaserefpolicy/policy/modules/services/gamin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/services/gamin.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/gamin.te 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,39 @@ +policy_module(gamin, 1.0.0) + @@ -15433,14 +15036,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.5.12/policy/modules/services/gnomeclock.fc --- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/services/gnomeclock.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/gnomeclock.fc 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,3 @@ + +/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.5.12/policy/modules/services/gnomeclock.if --- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/services/gnomeclock.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/gnomeclock.if 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,75 @@ + +## policy for gnomeclock @@ -15519,7 +15122,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.5.12/policy/modules/services/gnomeclock.te --- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/services/gnomeclock.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/gnomeclock.te 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,55 @@ +policy_module(gnomeclock, 1.0.0) +######################################## @@ -15578,7 +15181,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.5.12/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/hal.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/hal.fc 2008-10-14 15:00:15.000000000 -0400 @@ -9,6 +9,7 @@ /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) @@ -15598,7 +15201,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.5.12/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/hal.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/hal.if 2008-10-14 15:00:15.000000000 -0400 @@ -302,3 +302,42 @@ files_search_pids($1) allow $1 hald_var_run_t:file rw_file_perms; @@ -15644,7 +15247,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.12/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/hal.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/hal.te 2008-10-14 15:00:15.000000000 -0400 @@ -49,6 +49,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -15755,7 +15358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +cron_read_system_job_lib_files(hald_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.5.12/policy/modules/services/inetd.fc --- nsaserefpolicy/policy/modules/services/inetd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/inetd.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/inetd.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,6 +1,8 @@ /usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0) @@ -15766,8 +15369,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) /usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.5.12/policy/modules/services/inetd.te ---- nsaserefpolicy/policy/modules/services/inetd.te 2008-09-03 07:59:15.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/inetd.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/inetd.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/inetd.te 2008-10-14 15:00:15.000000000 -0400 @@ -136,6 +136,7 @@ domain_use_interactive_fds(inetd_t) @@ -15785,8 +15388,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(inetd_child_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.5.12/policy/modules/services/kerberos.te ---- nsaserefpolicy/policy/modules/services/kerberos.te 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/kerberos.te 2008-10-10 16:08:56.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/kerberos.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/kerberos.te 2008-10-14 15:00:15.000000000 -0400 @@ -298,6 +298,7 @@ corenet_tcp_sendrecv_all_nodes(kpropd_t) corenet_tcp_sendrecv_all_ports(kpropd_t) @@ -15795,75 +15398,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(kpropd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.fc serefpolicy-3.5.12/policy/modules/services/kerneloops.fc ---- nsaserefpolicy/policy/modules/services/kerneloops.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/kerneloops.fc 2008-10-10 16:08:15.000000000 -0400 -@@ -1 +1,3 @@ -+/etc/rc\.d/init\.d/kerneloops -- gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0) -+ - /usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.5.12/policy/modules/services/kerneloops.if ---- nsaserefpolicy/policy/modules/services/kerneloops.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/kerneloops.if 2008-10-10 16:08:15.000000000 -0400 -@@ -71,13 +71,25 @@ - ## Domain allowed access. - ## - ## -+## -+## -+## The role to be allowed to manage the kerneloops domain. -+## -+## - ## - # - interface(`kerneloops_admin',` - gen_require(` - type kerneloops_t; -+ type kerneloops_initrc_exec_t; - ') - - allow $1 kerneloops_t:process { ptrace signal_perms }; - ps_process_pattern($1, kerneloops_t) -+ -+ init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 kerneloops_initrc_exec_t system_r; -+ allow $2 system_r; -+ - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.5.12/policy/modules/services/kerneloops.te ---- nsaserefpolicy/policy/modules/services/kerneloops.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/kerneloops.te 2008-10-10 16:08:15.000000000 -0400 -@@ -10,13 +10,16 @@ - type kerneloops_exec_t; - init_daemon_domain(kerneloops_t, kerneloops_exec_t) - -+type kerneloops_initrc_exec_t; -+init_script_file(kerneloops_initrc_exec_t) -+ - ######################################## - # - # kerneloops local policy - # - - allow kerneloops_t self:capability sys_nice; --allow kerneloops_t self:process { setsched getsched }; -+allow kerneloops_t self:process { setsched getsched signal }; - allow kerneloops_t self:fifo_file rw_file_perms; - - kernel_read_ring_buffer(kerneloops_t) -@@ -24,6 +27,8 @@ - # Init script handling - domain_use_interactive_fds(kerneloops_t) - -+allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms; -+ - corenet_all_recvfrom_unlabeled(kerneloops_t) - corenet_all_recvfrom_netlabel(kerneloops_t) - corenet_tcp_sendrecv_all_if(kerneloops_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.5.12/policy/modules/services/ldap.te ---- nsaserefpolicy/policy/modules/services/ldap.te 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/ldap.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ldap.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/ldap.te 2008-10-14 15:00:15.000000000 -0400 @@ -121,7 +121,7 @@ sysadm_dontaudit_search_home_dirs(slapd_t) @@ -15875,7 +15412,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.5.12/policy/modules/services/lpd.fc --- nsaserefpolicy/policy/modules/services/lpd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/lpd.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/lpd.fc 2008-10-14 15:00:15.000000000 -0400 @@ -22,11 +22,14 @@ /usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0) /usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0) @@ -15893,7 +15430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.5.12/policy/modules/services/mailman.fc --- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/mailman.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/mailman.fc 2008-10-14 15:00:15.000000000 -0400 @@ -31,3 +31,4 @@ /var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) @@ -15901,7 +15438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.5.12/policy/modules/services/mailman.if --- nsaserefpolicy/policy/modules/services/mailman.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/mailman.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/mailman.if 2008-10-14 15:00:15.000000000 -0400 @@ -31,6 +31,12 @@ allow mailman_$1_t self:tcp_socket create_stream_socket_perms; allow mailman_$1_t self:udp_socket create_socket_perms; @@ -15951,7 +15488,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.5.12/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/mailman.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/mailman.te 2008-10-14 15:00:15.000000000 -0400 @@ -53,10 +53,9 @@ apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) @@ -16007,13 +15544,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(mailman_queue_t, mailman_queue_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.5.12/policy/modules/services/mailscanner.fc --- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/services/mailscanner.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/mailscanner.fc 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,2 @@ +/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.5.12/policy/modules/services/mailscanner.if --- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/services/mailscanner.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/mailscanner.if 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,59 @@ +## Anti-Virus and Anti-Spam Filter + @@ -16076,25 +15613,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.5.12/policy/modules/services/mailscanner.te --- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/services/mailscanner.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/mailscanner.te 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,5 @@ + +policy_module(mailscanner, 1.0.0) + +type mailscanner_spool_t; +files_type(mailscanner_spool_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.5.12/policy/modules/services/memcached.te ---- nsaserefpolicy/policy/modules/services/memcached.te 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/memcached.te 2008-10-10 16:08:15.000000000 -0400 -@@ -50,3 +50,5 @@ - miscfiles_read_localization(memcached_t) - - sysnet_dns_name_resolve(memcached_t) -+ -+permissive memcached_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.5.12/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/mta.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/mta.fc 2008-10-14 15:00:15.000000000 -0400 @@ -22,7 +22,3 @@ /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) @@ -16104,8 +15632,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) -#') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.5.12/policy/modules/services/mta.if ---- nsaserefpolicy/policy/modules/services/mta.if 2008-09-12 10:48:05.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/mta.if 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/mta.if 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/mta.if 2008-10-14 15:06:51.000000000 -0400 @@ -133,6 +133,15 @@ sendmail_create_log($1_mail_t) ') @@ -16122,24 +15650,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -199,7 +208,7 @@ - userdom_use_user_terminals($1, mta_user_agent) - # Create dead.letter in user home directories. - userdom_manage_user_home_content_files($1, $1_mail_t) -- userdom_user_home_dir_filetrans_user_home_content($1, $1_mail_t, file) -+ unprivuser_home_dir_filetrans_home_content($1_mail_t, file) - # for reading .forward - maybe we need a new type for it? - # also for delivering mail to maildir - userdom_manage_user_home_content_dirs($1, mailserver_delivery) -@@ -207,7 +216,7 @@ - userdom_manage_user_home_content_symlinks($1, mailserver_delivery) - userdom_manage_user_home_content_pipes($1, mailserver_delivery) - userdom_manage_user_home_content_sockets($1, mailserver_delivery) -- userdom_user_home_dir_filetrans_user_home_content($1, mailserver_delivery, { dir file lnk_file fifo_file sock_file }) -+ unprivuser_home_dir_filetrans_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file }) - # Read user temporary files. - userdom_read_user_tmp_files($1, $1_mail_t) - userdom_dontaudit_append_user_tmp_files($1, $1_mail_t) @@ -220,6 +229,11 @@ fs_manage_cifs_symlinks($1_mail_t) ') @@ -16174,33 +15684,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -622,6 +639,25 @@ - files_search_etc($1) - allow $1 etc_aliases_t:file { rw_file_perms setattr }; - ') -+######################################## -+## -+## manage mail aliases. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`mta_manage_aliases',` -+ gen_require(` -+ type etc_aliases_t; -+ ') -+ -+ files_search_etc($1) -+ allow $1 etc_aliases_t:file manage_file_perms; -+') - - ####################################### - ## -@@ -873,6 +909,25 @@ +@@ -893,6 +911,25 @@ ######################################## ## @@ -16227,8 +15711,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## mail queue files. ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.5.12/policy/modules/services/mta.te ---- nsaserefpolicy/policy/modules/services/mta.te 2008-09-12 10:48:05.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/mta.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/mta.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/mta.te 2008-10-14 15:00:15.000000000 -0400 @@ -39,34 +39,50 @@ # @@ -16363,7 +15847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol arpwatch_search_data(mailserver_delivery) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.5.12/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/munin.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/munin.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,4 +1,5 @@ /etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) +/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) @@ -16383,7 +15867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.5.12/policy/modules/services/munin.if --- nsaserefpolicy/policy/modules/services/munin.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/munin.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/munin.if 2008-10-14 15:00:15.000000000 -0400 @@ -80,3 +80,76 @@ dontaudit $1 munin_var_lib_t:dir search_dir_perms; @@ -16463,7 +15947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.12/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/munin.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/munin.te 2008-10-14 15:00:15.000000000 -0400 @@ -13,6 +13,9 @@ type munin_etc_t alias lrrd_etc_t; files_config_file(munin_etc_t) @@ -16593,7 +16077,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.5.12/policy/modules/services/mysql.fc --- nsaserefpolicy/policy/modules/services/mysql.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/mysql.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/mysql.fc 2008-10-14 15:00:15.000000000 -0400 @@ -5,6 +5,7 @@ # /etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) @@ -16604,7 +16088,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /usr diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.5.12/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/mysql.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/mysql.if 2008-10-14 15:00:15.000000000 -0400 @@ -53,9 +53,11 @@ interface(`mysql_stream_connect',` gen_require(` @@ -16666,8 +16150,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, mysqld_tmp_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.5.12/policy/modules/services/mysql.te ---- nsaserefpolicy/policy/modules/services/mysql.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/mysql.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/mysql.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/mysql.te 2008-10-14 15:00:15.000000000 -0400 @@ -19,6 +19,9 @@ type mysqld_etc_t alias etc_mysqld_t; files_config_file(mysqld_etc_t) @@ -16698,7 +16182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.5.12/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/nagios.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/nagios.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,16 +1,19 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) @@ -16725,7 +16209,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.5.12/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/nagios.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/nagios.if 2008-10-14 15:00:15.000000000 -0400 @@ -44,7 +44,7 @@ ######################################## @@ -16808,7 +16292,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.5.12/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/nagios.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/nagios.te 2008-10-14 15:00:15.000000000 -0400 @@ -10,13 +10,12 @@ type nagios_exec_t; init_daemon_domain(nagios_t, nagios_exec_t) @@ -16909,7 +16393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.5.12/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/networkmanager.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/networkmanager.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,8 +1,12 @@ +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + @@ -16930,7 +16414,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.5.12/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/networkmanager.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/networkmanager.if 2008-10-14 15:00:15.000000000 -0400 @@ -118,6 +118,24 @@ ######################################## @@ -16957,8 +16441,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.12/policy/modules/services/networkmanager.te ---- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/networkmanager.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/networkmanager.te 2008-10-14 15:00:15.000000000 -0400 @@ -33,9 +33,9 @@ # networkmanager will ptrace itself if gdb is installed @@ -17155,7 +16639,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +term_dontaudit_use_console(wpa_cli_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.5.12/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/nis.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/nis.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,9 +1,13 @@ +/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) @@ -17172,7 +16656,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.5.12/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/nis.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/nis.if 2008-10-14 15:00:15.000000000 -0400 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -17305,7 +16789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.5.12/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/nis.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/nis.te 2008-10-14 15:00:15.000000000 -0400 @@ -44,6 +44,9 @@ type ypxfr_exec_t; init_daemon_domain(ypxfr_t, ypxfr_exec_t) @@ -17376,7 +16860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_all_ports(ypxfr_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.5.12/policy/modules/services/nscd.fc --- nsaserefpolicy/policy/modules/services/nscd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/nscd.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/nscd.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) @@ -17384,7 +16868,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.5.12/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/nscd.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/nscd.if 2008-10-14 15:00:15.000000000 -0400 @@ -70,15 +70,14 @@ interface(`nscd_socket_use',` gen_require(` @@ -17466,7 +16950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.5.12/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/nscd.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/nscd.te 2008-10-14 15:00:15.000000000 -0400 @@ -20,6 +20,9 @@ type nscd_exec_t; init_daemon_domain(nscd_t, nscd_exec_t) @@ -17565,8 +17049,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + samba_read_var_files(nscd_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.5.12/policy/modules/services/ntp.if ---- nsaserefpolicy/policy/modules/services/ntp.if 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/ntp.if 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ntp.if 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/ntp.if 2008-10-14 15:00:15.000000000 -0400 @@ -56,6 +56,24 @@ ######################################## @@ -17593,8 +17077,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## an ntp environment ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.5.12/policy/modules/services/ntp.te ---- nsaserefpolicy/policy/modules/services/ntp.te 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/ntp.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ntp.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/ntp.te 2008-10-14 15:00:15.000000000 -0400 @@ -42,6 +42,7 @@ dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; @@ -17614,7 +17098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.5.12/policy/modules/services/oddjob.fc --- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/oddjob.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/oddjob.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,4 +1,4 @@ -/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) @@ -17623,7 +17107,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.5.12/policy/modules/services/oddjob.if --- nsaserefpolicy/policy/modules/services/oddjob.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/oddjob.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/oddjob.if 2008-10-14 15:00:15.000000000 -0400 @@ -44,6 +44,7 @@ ') @@ -17669,7 +17153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.5.12/policy/modules/services/oddjob.te --- nsaserefpolicy/policy/modules/services/oddjob.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/oddjob.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/oddjob.te 2008-10-14 15:00:15.000000000 -0400 @@ -10,14 +10,21 @@ type oddjob_exec_t; domain_type(oddjob_t) @@ -17730,8 +17214,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Add/remove user home directories unprivuser_home_filetrans_home_dir(oddjob_mkhomedir_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.5.12/policy/modules/services/openvpn.te ---- nsaserefpolicy/policy/modules/services/openvpn.te 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/openvpn.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/openvpn.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/openvpn.te 2008-10-14 15:00:15.000000000 -0400 @@ -117,3 +117,11 @@ networkmanager_dbus_chat(openvpn_t) @@ -17746,7 +17230,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.5.12/policy/modules/services/pads.fc --- nsaserefpolicy/policy/modules/services/pads.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/services/pads.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/pads.fc 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,12 @@ + +/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0) @@ -17762,7 +17246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.5.12/policy/modules/services/pads.if --- nsaserefpolicy/policy/modules/services/pads.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/services/pads.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/pads.if 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,10 @@ +## SELinux policy for PADS daemon. +## @@ -17776,7 +17260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.5.12/policy/modules/services/pads.te --- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/services/pads.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/pads.te 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,68 @@ + +policy_module(pads, 0.0.1) @@ -17848,7 +17332,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.5.12/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/pcscd.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/pcscd.te 2008-10-14 15:00:15.000000000 -0400 @@ -10,6 +10,7 @@ type pcscd_exec_t; domain_type(pcscd_t) @@ -17874,7 +17358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol openct_signull(pcscd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.5.12/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/pegasus.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/pegasus.te 2008-10-14 15:00:15.000000000 -0400 @@ -66,6 +66,7 @@ kernel_read_system_state(pegasus_t) kernel_search_vm_sysctl(pegasus_t) @@ -17909,7 +17393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(pegasus_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.5.12/policy/modules/services/polkit.fc --- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/services/polkit.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/polkit.fc 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,9 @@ + +/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) @@ -17922,7 +17406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.12/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/services/polkit.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/polkit.if 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,213 @@ + +## policy for polkit_auth @@ -18139,7 +17623,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.12/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/services/polkit.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/polkit.te 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,231 @@ +policy_module(polkit_auth, 1.0.0) + @@ -18374,7 +17858,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.te serefpolicy-3.5.12/policy/modules/services/portmap.te --- nsaserefpolicy/policy/modules/services/portmap.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/portmap.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/portmap.te 2008-10-14 15:00:15.000000000 -0400 @@ -41,6 +41,7 @@ manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t) files_pid_filetrans(portmap_t, portmap_var_run_t, file) @@ -18383,9 +17867,157 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(portmap_t) kernel_list_proc(portmap_t) kernel_read_proc_symlinks(portmap_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.5.12/policy/modules/services/portreserve.fc +--- nsaserefpolicy/policy/modules/services/portreserve.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.5.12/policy/modules/services/portreserve.fc 2008-10-14 15:00:15.000000000 -0400 +@@ -0,0 +1,12 @@ ++# portreserve executable will have: ++# label: system_u:object_r:portreserve_exec_t ++# MLS sensitivity: s0 ++# MCS categories: ++ ++#exec ++/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) ++ ++/var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0) ++ ++/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.5.12/policy/modules/services/portreserve.if +--- nsaserefpolicy/policy/modules/services/portreserve.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.5.12/policy/modules/services/portreserve.if 2008-10-14 15:00:15.000000000 -0400 +@@ -0,0 +1,70 @@ ++## policy for portreserve ++ ++######################################## ++## ++## Execute a domain transition to run portreserve. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`portreserve_domtrans',` ++ gen_require(` ++ type portreserve_t, portreserve_exec_t; ++ ') ++ ++ domain_auto_trans($1,portreserve_exec_t,portreserve_t) ++ ++ allow portreserve_t $1:fd use; ++ allow portreserve_t $1:fifo_file rw_file_perms; ++ allow portreserve_t $1:process sigchld; ++') ++ ++####################################### ++## ++## Allow the specified domain to read ++## portreserve etcuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++# ++interface(`portreserve_read_etc',` ++ gen_require(` ++ type portreserve_etc_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 portreserve_etc_t:dir list_dir_perms; ++ read_files_pattern($1, portreserve_etc_t, portreserve_etc_t) ++ read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) ++') ++ ++####################################### ++## ++## Allow the specified domain to manage ++## portreserve etcuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`portreserve_manage_etc',` ++ gen_require(` ++ type portreserve_etc_t; ++ ') ++ ++ files_search_etc($1) ++ manage_dirs_pattern($1, portreserve_etc_t, portreserve_etc_t) ++ manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t) ++ read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.5.12/policy/modules/services/portreserve.te +--- nsaserefpolicy/policy/modules/services/portreserve.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.5.12/policy/modules/services/portreserve.te 2008-10-14 15:00:15.000000000 -0400 +@@ -0,0 +1,54 @@ ++policy_module(portreserve,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type portreserve_t; ++type portreserve_exec_t; ++init_daemon_domain(portreserve_t, portreserve_exec_t) ++ ++type portreserve_etc_t; ++files_type(portreserve_etc_t) ++ ++type portreserve_var_run_t; ++files_pid_file(portreserve_var_run_t) ++ ++######################################## ++# ++# Portreserve local policy ++# ++allow portreserve_t self:fifo_file rw_fifo_file_perms; ++allow portreserve_t self:unix_stream_socket create_stream_socket_perms; ++allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow portreserve_t self:tcp_socket create_socket_perms; ++allow portreserve_t self:udp_socket create_socket_perms; ++ ++# Read etc files ++list_dirs_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) ++read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) ++ ++# Manage /var/run/portreserve/* ++manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) ++manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) ++manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) ++files_pid_filetrans(portreserve_t,portreserve_var_run_t, { file sock_file }) ++ ++## Networking basics ++corenet_tcp_bind_all_ports(portreserve_t) ++corenet_tcp_bind_all_ports(portreserve_t) ++corenet_udp_bind_all_nodes(portreserve_t) ++corenet_udp_bind_all_ports(portreserve_t) ++corenet_tcp_bind_inaddr_any_node(portreserve_t) ++corenet_udp_bind_inaddr_any_node(portreserve_t) ++ ++files_read_etc_files(portreserve_t) ++ ++libs_use_ld_so(portreserve_t) ++libs_use_shared_libs(portreserve_t) ++ ++# Init script handling ++#init_use_fds(portreserve_t) ++#init_use_script_ptys(portreserve_t) ++#domain_use_interactive_fds(portreserve_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.5.12/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/postfix.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/postfix.fc 2008-10-14 15:00:15.000000000 -0400 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -18399,20 +18031,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -@@ -43,9 +41,7 @@ - /usr/sbin/postmap -- gen_context(system_u:object_r:postfix_map_exec_t,s0) - /usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) - /usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -- --/var/lib/postfix(/.*)? gen_context(system_u:object_r:postfix_data_t,s0) -- -+/var/lib/postfix(/.*)? gen_context(system_u:object_r:postfix_var_lib_t,s0) - /var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) - /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) - /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.5.12/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/postfix.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/postfix.if 2008-10-14 15:00:15.000000000 -0400 @@ -211,9 +211,8 @@ type postfix_etc_t; ') @@ -18511,8 +18132,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.12/policy/modules/services/postfix.te ---- nsaserefpolicy/policy/modules/services/postfix.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/postfix.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/postfix.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/postfix.te 2008-10-14 15:10:49.000000000 -0400 @@ -6,6 +6,14 @@ # Declarations # @@ -18558,24 +18179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type postfix_map_tmp_t; files_tmp_file(postfix_map_tmp_t) -@@ -80,13 +95,12 @@ - type postfix_public_t; - files_type(postfix_public_t) - -+type postfix_var_lib_t; -+files_type(postfix_var_lib_t) -+ - type postfix_var_run_t; - files_pid_file(postfix_var_run_t) - --# the data_directory config parameter --type postfix_data_t; --files_type(postfix_data_t) -- - postfix_server_domain_template(virtual) - mta_mailserver_delivery(postfix_virtual_t) - -@@ -103,14 +117,12 @@ +@@ -103,6 +118,7 @@ allow postfix_master_t self:fifo_file rw_fifo_file_perms; allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms; @@ -18583,25 +18187,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow postfix_master_t postfix_etc_t:file rw_file_perms; - can_exec(postfix_master_t,postfix_exec_t) - --allow postfix_master_t postfix_data_t:dir manage_dir_perms; --allow postfix_master_t postfix_data_t:file manage_file_perms; -- - allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock }; - - allow postfix_master_t postfix_postdrop_exec_t:file getattr; -@@ -129,6 +141,10 @@ - - domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) - -+manage_dirs_pattern(postfix_master_t, postfix_var_lib_t, postfix_var_lib_t) -+manage_files_pattern(postfix_master_t, postfix_var_lib_t, postfix_var_lib_t) -+files_search_var_lib(postfix_master_t) -+ - # allow access to deferred queue and allow removing bogus incoming entries - manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) - manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) @@ -142,6 +158,7 @@ delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) @@ -18610,25 +18195,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_all_sysctls(postfix_master_t) -@@ -181,12 +198,17 @@ +@@ -170,6 +187,7 @@ + domain_use_interactive_fds(postfix_master_t) + + files_read_usr_files(postfix_master_t) ++files_search_var_lib(postfix_master_t) + + term_dontaudit_search_ptys(postfix_master_t) + +@@ -181,15 +199,14 @@ mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) +mta_getattr_spool(postfix_master_t) - optional_policy(` - cyrus_stream_connect(postfix_master_t) +-ifdef(`distro_redhat',` +- # for newer main.cf that uses /etc/aliases +- mta_manage_aliases(postfix_master_t) +- mta_etc_filetrans_aliases(postfix_master_t) ++optional_policy(` ++ cyrus_stream_connect(postfix_master_t) ') optional_policy(` +- cyrus_stream_connect(postfix_master_t) + kerberos_keytab_template(postfix, postfix_t) -+') -+ -+optional_policy(` - # for postalias - mailman_manage_data_files(postfix_master_t) ') -@@ -196,6 +218,10 @@ + + optional_policy(` +@@ -202,9 +219,29 @@ ') optional_policy(` @@ -18639,7 +18234,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sendmail_signal(postfix_master_t) ') -@@ -255,6 +281,10 @@ ++########################################################### ++# ++# Partially converted rules. THESE ARE ONLY TEMPORARY ++# ++ ++ifdef(`distro_redhat',` ++ # for newer main.cf that uses /etc/aliases ++ allow postfix_master_t etc_aliases_t:dir manage_dir_perms; ++ allow postfix_master_t etc_aliases_t:file manage_file_perms; ++ allow postfix_master_t etc_aliases_t:lnk_file manage_lnk_file_perms; ++ mta_etc_filetrans_aliases(postfix_master_t) ++ filetrans_pattern(postfix_master_t, postfix_etc_t, etc_aliases_t, { dir file lnk_file }) ++') ++ ++# end partially converted rules ++ + ######################################## + # + # Postfix bounce local policy +@@ -245,6 +282,10 @@ corecmd_exec_bin(postfix_cleanup_t) @@ -18650,7 +18264,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix local local policy -@@ -280,18 +310,25 @@ +@@ -270,18 +311,25 @@ files_read_etc_files(postfix_local_t) @@ -18676,7 +18290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -302,8 +339,7 @@ +@@ -292,8 +340,7 @@ # # Postfix map local policy # @@ -18686,7 +18300,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; allow postfix_map_t self:unix_dgram_socket create_socket_perms; allow postfix_map_t self:tcp_socket create_stream_socket_perms; -@@ -353,8 +389,6 @@ +@@ -343,8 +390,6 @@ miscfiles_read_localization(postfix_map_t) @@ -18695,7 +18309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) -@@ -367,6 +401,11 @@ +@@ -357,6 +402,11 @@ locallogin_dontaudit_use_fds(postfix_map_t) ') @@ -18707,7 +18321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix pickup local policy -@@ -391,6 +430,7 @@ +@@ -381,6 +431,7 @@ # allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; @@ -18715,7 +18329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -398,6 +438,12 @@ +@@ -388,6 +439,12 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) @@ -18728,7 +18342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` procmail_domtrans(postfix_pipe_t) ') -@@ -407,6 +453,14 @@ +@@ -397,6 +454,14 @@ ') optional_policy(` @@ -18743,7 +18357,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol uucp_domtrans_uux(postfix_pipe_t) ') -@@ -443,8 +497,11 @@ +@@ -433,8 +498,11 @@ ') optional_policy(` @@ -18757,7 +18371,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -470,6 +527,15 @@ +@@ -460,6 +528,15 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -18773,7 +18387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix qmgr local policy -@@ -553,6 +619,10 @@ +@@ -543,6 +620,10 @@ mta_read_aliases(postfix_smtpd_t) optional_policy(` @@ -18784,7 +18398,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mailman_read_data_files(postfix_smtpd_t) ') -@@ -579,7 +649,7 @@ +@@ -569,7 +650,7 @@ files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir }) # connect to master process @@ -18795,7 +18409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(postfix_virtual_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.5.12/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/postgresql.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/postgresql.fc 2008-10-14 15:00:15.000000000 -0400 @@ -2,6 +2,7 @@ # /etc # @@ -18806,7 +18420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /usr diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.5.12/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/postgresql.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/postgresql.if 2008-10-14 15:00:15.000000000 -0400 @@ -372,3 +372,46 @@ typeattribute $1 sepgsql_unconfined_type; @@ -18855,8 +18469,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, postgresql_tmp_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.5.12/policy/modules/services/postgresql.te ---- nsaserefpolicy/policy/modules/services/postgresql.te 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/postgresql.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/postgresql.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/postgresql.te 2008-10-14 15:00:15.000000000 -0400 @@ -32,6 +32,9 @@ type postgresql_etc_t; files_config_file(postgresql_etc_t) @@ -18896,7 +18510,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.5.12/policy/modules/services/postgrey.fc --- nsaserefpolicy/policy/modules/services/postgrey.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/postgrey.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/postgrey.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,5 +1,7 @@ /etc/postgrey(/.*)? gen_context(system_u:object_r:postgrey_etc_t,s0) @@ -18913,7 +18527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.5.12/policy/modules/services/postgrey.if --- nsaserefpolicy/policy/modules/services/postgrey.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/postgrey.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/postgrey.if 2008-10-14 15:00:15.000000000 -0400 @@ -12,10 +12,73 @@ # interface(`postgrey_stream_connect',` @@ -18992,7 +18606,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.5.12/policy/modules/services/postgrey.te --- nsaserefpolicy/policy/modules/services/postgrey.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/postgrey.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/postgrey.te 2008-10-14 15:00:15.000000000 -0400 @@ -13,6 +13,12 @@ type postgrey_etc_t; files_config_file(postgrey_etc_t) @@ -19043,7 +18657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.5.12/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/ppp.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/ppp.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,8 +1,6 @@ # # /etc @@ -19067,7 +18681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /sbin diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.5.12/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/ppp.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/ppp.if 2008-10-14 15:00:15.000000000 -0400 @@ -58,6 +58,25 @@ ######################################## @@ -19172,8 +18786,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, pptp_var_run_t, pptp_var_run_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.5.12/policy/modules/services/ppp.te ---- nsaserefpolicy/policy/modules/services/ppp.te 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/ppp.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ppp.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/ppp.te 2008-10-14 15:00:15.000000000 -0400 @@ -37,8 +37,8 @@ type pppd_etc_rw_t; files_type(pppd_etc_rw_t) @@ -19277,7 +18891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.5.12/policy/modules/services/prelude.fc --- nsaserefpolicy/policy/modules/services/prelude.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/prelude.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/prelude.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,3 +1,9 @@ +/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0) + @@ -19306,7 +18920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.5.12/policy/modules/services/prelude.if --- nsaserefpolicy/policy/modules/services/prelude.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/prelude.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/prelude.if 2008-10-14 15:00:15.000000000 -0400 @@ -6,7 +6,7 @@ ## ## @@ -19421,7 +19035,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.12/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/prelude.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/prelude.te 2008-10-14 15:00:15.000000000 -0400 @@ -13,25 +13,57 @@ type prelude_spool_t; files_type(prelude_spool_t) @@ -19686,7 +19300,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mysql_search_db(httpd_prewikka_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.5.12/policy/modules/services/privoxy.fc --- nsaserefpolicy/policy/modules/services/privoxy.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/privoxy.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/privoxy.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,5 +1,7 @@ /etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) @@ -19697,7 +19311,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.if serefpolicy-3.5.12/policy/modules/services/privoxy.if --- nsaserefpolicy/policy/modules/services/privoxy.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/privoxy.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/privoxy.if 2008-10-14 15:00:15.000000000 -0400 @@ -16,17 +16,23 @@ gen_require(` type privoxy_t, privoxy_log_t; @@ -19727,7 +19341,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.5.12/policy/modules/services/privoxy.te --- nsaserefpolicy/policy/modules/services/privoxy.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/privoxy.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/privoxy.te 2008-10-14 15:00:15.000000000 -0400 @@ -10,6 +10,9 @@ type privoxy_exec_t; init_daemon_domain(privoxy_t, privoxy_exec_t) @@ -19748,7 +19362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_sendrecv_http_cache_server_packets(privoxy_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.5.12/policy/modules/services/procmail.fc --- nsaserefpolicy/policy/modules/services/procmail.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/procmail.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/procmail.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,2 +1,5 @@ /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) @@ -19757,7 +19371,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.5.12/policy/modules/services/procmail.if --- nsaserefpolicy/policy/modules/services/procmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/procmail.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/procmail.if 2008-10-14 15:00:15.000000000 -0400 @@ -39,3 +39,41 @@ corecmd_search_bin($1) can_exec($1, procmail_exec_t) @@ -19802,7 +19416,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.5.12/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/procmail.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/procmail.te 2008-10-14 15:00:15.000000000 -0400 @@ -14,6 +14,10 @@ type procmail_tmp_t; files_tmp_file(procmail_tmp_t) @@ -19882,7 +19496,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.5.12/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/pyzor.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/pyzor.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,6 +1,8 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) @@ -19895,7 +19509,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.5.12/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/pyzor.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/pyzor.if 2008-10-14 15:00:15.000000000 -0400 @@ -25,16 +25,16 @@ # template(`pyzor_per_role_template',` @@ -19973,7 +19587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.5.12/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/pyzor.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/pyzor.te 2008-10-14 15:00:15.000000000 -0400 @@ -6,6 +6,37 @@ # Declarations # @@ -20060,8 +19674,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.5.12/policy/modules/services/qmail.te ---- nsaserefpolicy/policy/modules/services/qmail.te 2008-08-11 11:23:34.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/qmail.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/qmail.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/qmail.te 2008-10-14 15:00:15.000000000 -0400 @@ -124,6 +124,10 @@ qmail_domtrans_queue(qmail_local_t) @@ -20084,21 +19698,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.fc serefpolicy-3.5.12/policy/modules/services/radius.fc ---- nsaserefpolicy/policy/modules/services/radius.fc 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/radius.fc 2008-10-10 16:08:15.000000000 -0400 -@@ -1,7 +1,7 @@ - - /etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) - /etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) --/etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radiusd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radius_initrc_exec_t,s0) - - /etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0) - /etc/raddb/db\.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.5.12/policy/modules/services/radius.te ---- nsaserefpolicy/policy/modules/services/radius.te 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/radius.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/radius.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/radius.te 2008-10-14 15:00:15.000000000 -0400 @@ -59,8 +59,9 @@ manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) @@ -20112,7 +19714,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(radiusd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.5.12/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/razor.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/razor.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,4 +1,4 @@ -HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0) +HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) @@ -20121,7 +19723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.5.12/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/razor.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/razor.if 2008-10-14 15:00:15.000000000 -0400 @@ -137,6 +137,7 @@ template(`razor_per_role_template',` gen_require(` @@ -20243,7 +19845,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.5.12/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/razor.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/razor.te 2008-10-14 15:00:15.000000000 -0400 @@ -6,21 +6,51 @@ # Declarations # @@ -20300,8 +19902,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.5.12/policy/modules/services/ricci.te ---- nsaserefpolicy/policy/modules/services/ricci.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/ricci.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ricci.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/ricci.te 2008-10-14 15:00:15.000000000 -0400 @@ -133,6 +133,8 @@ dev_read_urand(ricci_t) @@ -20366,7 +19968,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_manage_etc_files(ricci_modstorage_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.5.12/policy/modules/services/rlogin.te --- nsaserefpolicy/policy/modules/services/rlogin.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/rlogin.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/rlogin.te 2008-10-14 15:00:15.000000000 -0400 @@ -94,8 +94,8 @@ remotelogin_signal(rlogind_t) @@ -20380,7 +19982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.fc serefpolicy-3.5.12/policy/modules/services/roundup.fc --- nsaserefpolicy/policy/modules/services/roundup.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/roundup.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/roundup.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,3 +1,5 @@ +/etc/rc\.d/init\.d/roundup -- gen_context(system_u:object_r:roundup_initrc_exec_t,s0) + @@ -20389,7 +19991,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.if serefpolicy-3.5.12/policy/modules/services/roundup.if --- nsaserefpolicy/policy/modules/services/roundup.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/roundup.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/roundup.if 2008-10-14 15:00:15.000000000 -0400 @@ -1 +1,39 @@ ## Roundup Issue Tracking System policy + @@ -20432,7 +20034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.te serefpolicy-3.5.12/policy/modules/services/roundup.te --- nsaserefpolicy/policy/modules/services/roundup.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/roundup.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/roundup.te 2008-10-14 15:00:15.000000000 -0400 @@ -10,6 +10,9 @@ type roundup_exec_t; init_daemon_domain(roundup_t, roundup_exec_t) @@ -20445,7 +20047,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.5.12/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/rpc.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/rpc.if 2008-10-14 15:00:15.000000000 -0400 @@ -88,8 +88,11 @@ # bind to arbitary unused ports corenet_tcp_bind_generic_port($1_t) @@ -20485,8 +20087,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.12/policy/modules/services/rpc.te ---- nsaserefpolicy/policy/modules/services/rpc.te 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/rpc.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rpc.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/rpc.te 2008-10-14 15:00:15.000000000 -0400 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) @@ -20547,28 +20149,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.5.12/policy/modules/services/rpcbind.fc --- nsaserefpolicy/policy/modules/services/rpcbind.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/rpcbind.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/rpcbind.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,4 +1,4 @@ -/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0) +/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0) /sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.5.12/policy/modules/services/rpcbind.if ---- nsaserefpolicy/policy/modules/services/rpcbind.if 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/rpcbind.if 2008-10-10 16:08:15.000000000 -0400 -@@ -122,7 +122,7 @@ - allow $1 rpcbind_t:process { ptrace signal_perms }; - ps_process_pattern($1, rpcbind_t) - -- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t) -+ init_labeled_script_domtrans($1, rpcbind_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rpcbind_initrc_exec_t system_r; - allow $2 system_r; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.12/policy/modules/services/rpcbind.te ---- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/rpcbind.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/rpcbind.te 2008-10-14 15:00:15.000000000 -0400 @@ -60,6 +60,7 @@ domain_use_interactive_fds(rpcbind_t) @@ -20579,7 +20169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_shared_libs(rpcbind_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.5.12/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/rshd.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/rshd.te 2008-10-14 15:00:15.000000000 -0400 @@ -16,7 +16,7 @@ # # Local policy @@ -20643,7 +20233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.5.12/policy/modules/services/rsync.fc --- nsaserefpolicy/policy/modules/services/rsync.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/rsync.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/rsync.fc 2008-10-14 15:00:15.000000000 -0400 @@ -3,4 +3,4 @@ /var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0) @@ -20651,8 +20241,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_log_t,s0) +/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.5.12/policy/modules/services/rsync.te ---- nsaserefpolicy/policy/modules/services/rsync.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/rsync.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rsync.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/rsync.te 2008-10-14 15:00:15.000000000 -0400 @@ -45,7 +45,7 @@ # Local policy # @@ -20664,7 +20254,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow rsync_t self:tcp_socket create_stream_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.5.12/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/samba.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/samba.fc 2008-10-14 15:00:15.000000000 -0400 @@ -2,6 +2,9 @@ # # /etc @@ -20693,7 +20283,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.12/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/samba.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/samba.if 2008-10-14 15:00:15.000000000 -0400 @@ -52,6 +52,25 @@ ## ## @@ -21019,8 +20609,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.12/policy/modules/services/samba.te ---- nsaserefpolicy/policy/modules/services/samba.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/samba.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/samba.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/samba.te 2008-10-14 15:00:15.000000000 -0400 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -21418,8 +21008,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +allow smbcontrol_t nmbd_var_run_t:file { read lock }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.5.12/policy/modules/services/sasl.te ---- nsaserefpolicy/policy/modules/services/sasl.te 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/sasl.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/sasl.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/sasl.te 2008-10-14 15:00:15.000000000 -0400 @@ -111,6 +111,10 @@ ') @@ -21433,7 +21023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.5.12/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/sendmail.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/sendmail.if 2008-10-14 15:00:15.000000000 -0400 @@ -149,3 +149,104 @@ logging_log_filetrans($1, sendmail_log_t, file) @@ -21541,7 +21131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.5.12/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/sendmail.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/sendmail.te 2008-10-14 15:00:15.000000000 -0400 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -21703,7 +21293,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.5.12/policy/modules/services/setroubleshoot.fc --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/setroubleshoot.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/setroubleshoot.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,3 +1,5 @@ +/etc/rc\.d/init\.d/setroubleshoot -- gen_context(system_u:object_r:setroubleshoot_initrc_exec_t,s0) + @@ -21712,7 +21302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.5.12/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/setroubleshoot.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/setroubleshoot.if 2008-10-14 15:00:15.000000000 -0400 @@ -16,8 +16,8 @@ ') @@ -21775,8 +21365,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, setroubleshoot_var_run_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.5.12/policy/modules/services/setroubleshoot.te ---- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2008-08-25 09:12:31.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/setroubleshoot.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/setroubleshoot.te 2008-10-14 15:00:15.000000000 -0400 @@ -11,6 +11,9 @@ domain_type(setroubleshootd_t) init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -21798,17 +21388,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -52,7 +55,9 @@ +@@ -52,7 +55,10 @@ kernel_read_kernel_sysctls(setroubleshootd_t) kernel_read_system_state(setroubleshootd_t) +kernel_read_net_sysctls(setroubleshootd_t) kernel_read_network_state(setroubleshootd_t) +kernel_dontaudit_list_all_proc(setroubleshootd_t) ++kernel_read_unlabeled_state(setroubleshootd_t) corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) -@@ -68,16 +73,23 @@ +@@ -68,16 +74,23 @@ dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) @@ -21833,7 +21424,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -97,22 +109,25 @@ +@@ -97,22 +110,25 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -21862,15 +21453,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_dontaudit_manage_db(setroubleshootd_t) rpm_use_script_fds(setroubleshootd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.12/policy/modules/services/smartmon.te ---- nsaserefpolicy/policy/modules/services/smartmon.te 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/smartmon.te 2008-10-10 16:08:15.000000000 -0400 -@@ -1,5 +1,5 @@ - --policy_module(smartmon, 1.6.1) -+policy_module(smartmon, 1.6.0) - - ######################################## - # +--- nsaserefpolicy/policy/modules/services/smartmon.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/smartmon.te 2008-10-14 15:00:15.000000000 -0400 @@ -19,6 +19,10 @@ type fsdaemon_tmp_t; files_tmp_file(fsdaemon_tmp_t) @@ -21895,7 +21479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_udp_sendrecv_all_nodes(fsdaemon_t) corenet_udp_sendrecv_all_ports(fsdaemon_t) -+dev_del_entry_generic_dirs(fsdaemon_t) ++dev_del_generic_dirs(fsdaemon_t) dev_read_sysfs(fsdaemon_t) dev_read_urand(fsdaemon_t) @@ -21930,7 +21514,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.5.12/policy/modules/services/snmp.fc --- nsaserefpolicy/policy/modules/services/snmp.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/snmp.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/snmp.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,3 +1,6 @@ +/etc/rc\.d/init\.d/snmpd -- gen_context(system_u:object_r:snmp_initrc_exec_t,s0) +/etc/rc\.d/init\.d/snmptrapd -- gen_context(system_u:object_r:snmp_initrc_exec_t,s0) @@ -21948,7 +21532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.5.12/policy/modules/services/snmp.if --- nsaserefpolicy/policy/modules/services/snmp.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/snmp.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/snmp.if 2008-10-14 15:00:15.000000000 -0400 @@ -95,23 +95,34 @@ ## Domain allowed access. ## @@ -21989,7 +21573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.5.12/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/snmp.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/snmp.te 2008-10-14 15:00:15.000000000 -0400 @@ -9,6 +9,9 @@ type snmpd_exec_t; init_daemon_domain(snmpd_t, snmpd_exec_t) @@ -22056,7 +21640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.if serefpolicy-3.5.12/policy/modules/services/snort.if --- nsaserefpolicy/policy/modules/services/snort.if 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/snort.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/snort.if 2008-10-14 15:00:15.000000000 -0400 @@ -30,7 +30,7 @@ ## ## @@ -22080,8 +21664,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, snort_log_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.5.12/policy/modules/services/snort.te ---- nsaserefpolicy/policy/modules/services/snort.te 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/snort.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/snort.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/snort.te 2008-10-14 15:00:15.000000000 -0400 @@ -56,6 +56,7 @@ files_pid_filetrans(snort_t, snort_var_run_t, file) @@ -22114,7 +21698,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.5.12/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/spamassassin.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/spamassassin.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,16 +1,27 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -22148,7 +21732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.5.12/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/spamassassin.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/spamassassin.if 2008-10-14 15:00:15.000000000 -0400 @@ -34,10 +34,10 @@ # cjp: when tunables are available, spamc stuff should be # toggled on activation of spamc, and similarly for spamd. @@ -22683,7 +22267,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.12/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/spamassassin.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/spamassassin.te 2008-10-14 15:00:15.000000000 -0400 @@ -21,16 +21,24 @@ gen_tunable(spamd_enable_home_dirs, true) @@ -22978,8 +22562,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + sendmail_rw_pipes(spamc_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.5.12/policy/modules/services/squid.te ---- nsaserefpolicy/policy/modules/services/squid.te 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/squid.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/squid.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/squid.te 2008-10-14 15:00:15.000000000 -0400 @@ -118,6 +118,8 @@ fs_getattr_all_fs(squid_t) @@ -23000,7 +22584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.5.12/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/ssh.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/ssh.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,4 +1,4 @@ -HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0) +HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) @@ -23009,7 +22593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.12/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/ssh.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/ssh.if 2008-10-14 15:00:15.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -23257,8 +22841,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + delete_files_pattern($1, ssh_tmp_t, ssh_tmp_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.12/policy/modules/services/ssh.te ---- nsaserefpolicy/policy/modules/services/ssh.te 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/ssh.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ssh.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/ssh.te 2008-10-14 15:00:15.000000000 -0400 @@ -24,7 +24,7 @@ # Type for the ssh-agent executable. @@ -23321,7 +22905,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.5.12/policy/modules/services/stunnel.fc --- nsaserefpolicy/policy/modules/services/stunnel.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/stunnel.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/stunnel.fc 2008-10-14 15:00:15.000000000 -0400 @@ -2,5 +2,6 @@ /etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0) @@ -23330,8 +22914,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.5.12/policy/modules/services/stunnel.te ---- nsaserefpolicy/policy/modules/services/stunnel.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/stunnel.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/stunnel.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/stunnel.te 2008-10-14 15:00:15.000000000 -0400 @@ -54,6 +54,8 @@ kernel_read_system_state(stunnel_t) kernel_read_network_state(stunnel_t) @@ -23351,7 +22935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.5.12/policy/modules/services/sysstat.te --- nsaserefpolicy/policy/modules/services/sysstat.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/sysstat.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/sysstat.te 2008-10-14 15:00:15.000000000 -0400 @@ -47,6 +47,7 @@ files_read_etc_files(sysstat_t) @@ -23362,7 +22946,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_terms(sysstat_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.5.12/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/telnet.te 2008-10-10 16:23:10.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/telnet.te 2008-10-14 15:00:15.000000000 -0400 @@ -90,8 +90,8 @@ userdom_search_unpriv_users_home_dirs(telnetd_t) @@ -23375,8 +22959,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.5.12/policy/modules/services/tftp.te ---- nsaserefpolicy/policy/modules/services/tftp.te 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/tftp.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/tftp.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/tftp.te 2008-10-14 15:00:15.000000000 -0400 @@ -75,6 +75,7 @@ domain_use_interactive_fds(tftpd_t) @@ -23387,7 +22971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_var(tftpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.5.12/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/virt.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/virt.fc 2008-10-14 15:00:15.000000000 -0400 @@ -2,6 +2,7 @@ /etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) /etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) @@ -23397,17 +22981,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.12/policy/modules/services/virt.if ---- nsaserefpolicy/policy/modules/services/virt.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/virt.if 2008-10-10 16:08:15.000000000 -0400 -@@ -68,7 +68,7 @@ - ## - ## - # --interface(`virt_manage_pids_files',` -+interface(`virt_manage_pid_files',` - gen_require(` - type virt_var_run_t; - ') +--- nsaserefpolicy/policy/modules/services/virt.if 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/virt.if 2008-10-14 15:00:15.000000000 -0400 @@ -78,6 +78,24 @@ ######################################## @@ -23497,17 +23072,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol virt_manage_lib_files($1) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.5.12/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/virt.te 2008-10-10 16:08:15.000000000 -0400 -@@ -1,6 +1,8 @@ - - policy_module(virt, 1.0.0) - -+attribute virt_image_type; -+ - ######################################## - # - # Declarations -@@ -28,9 +30,7 @@ ++++ serefpolicy-3.5.12/policy/modules/services/virt.te 2008-10-14 15:00:15.000000000 -0400 +@@ -28,9 +28,7 @@ # virt Image files type virt_image_t; # customizable @@ -23518,7 +23084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type virt_log_t; logging_log_file(virt_log_t) -@@ -45,6 +45,9 @@ +@@ -45,6 +43,9 @@ type virtd_exec_t; init_daemon_domain(virtd_t, virtd_exec_t) @@ -23528,7 +23094,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # virtd local policy -@@ -49,9 +52,8 @@ +@@ -49,9 +50,8 @@ # # virtd local policy # @@ -23539,7 +23105,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow virtd_t self:fifo_file rw_file_perms; allow virtd_t self:unix_stream_socket create_stream_socket_perms; allow virtd_t self:tcp_socket create_stream_socket_perms; -@@ -64,7 +66,7 @@ +@@ -64,7 +64,7 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -23548,7 +23114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -82,6 +84,8 @@ +@@ -82,6 +82,8 @@ kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) @@ -23557,7 +23123,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_load_module(virtd_t) corecmd_exec_bin(virtd_t) -@@ -93,7 +97,7 @@ +@@ -93,7 +95,7 @@ corenet_tcp_sendrecv_all_nodes(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_bind_all_nodes(virtd_t) @@ -23566,7 +23132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_vnc_port(virtd_t) corenet_tcp_connect_vnc_port(virtd_t) corenet_tcp_connect_soundd_port(virtd_t) -@@ -107,8 +111,10 @@ +@@ -107,8 +109,10 @@ files_read_usr_files(virtd_t) files_read_etc_files(virtd_t) @@ -23577,7 +23143,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_list_auto_mountpoints(virtd_t) -@@ -162,26 +168,27 @@ +@@ -162,26 +166,27 @@ ') ') @@ -23614,7 +23180,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -189,9 +196,10 @@ +@@ -189,9 +194,10 @@ ') optional_policy(` @@ -23630,7 +23196,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.5.12/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2008-08-25 09:12:31.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/w3c.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/w3c.te 2008-10-14 15:00:15.000000000 -0400 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) @@ -23652,7 +23218,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.5.12/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/xserver.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/xserver.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,13 +1,15 @@ # # HOME_DIR @@ -23728,7 +23294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.12/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/xserver.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/xserver.if 2008-10-14 15:02:15.000000000 -0400 @@ -16,6 +16,7 @@ gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; @@ -24052,7 +23618,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -649,13 +571,208 @@ +@@ -649,13 +571,212 @@ xserver_read_xdm_tmp_files($2) @@ -24230,7 +23796,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $2 info_xproperty_t:x_property read; + allow $2 manage_xevent_t:x_event receive; + allow $2 manage_xevent_t:x_synthetic_event { send receive }; ++ + allow $2 output_xext_t:x_extension { query use }; ++ allow $2 debug_xext_t:x_extension { query use }; ++ allow $2 screensaver_xext_t:x_extension { query use }; ++ + allow $2 property_xevent_t:x_event receive; + allow $2 shmem_xext_t:x_extension { query use }; + @@ -24265,7 +23835,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ####################################### ## ## Interface to provide X object permissions on a given X server to -@@ -682,7 +799,7 @@ +@@ -682,7 +803,7 @@ # template(`xserver_common_x_domain_template',` gen_require(` @@ -24274,7 +23844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type xproperty_t, info_xproperty_t, clipboard_xproperty_t; type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; type xevent_t, client_xevent_t; -@@ -691,7 +808,6 @@ +@@ -691,7 +812,6 @@ attribute x_server_domain, x_domain; attribute xproperty_type; attribute xevent_type, xextension_type; @@ -24282,7 +23852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol class x_drawable all_x_drawable_perms; class x_screen all_x_screen_perms; -@@ -708,6 +824,7 @@ +@@ -708,6 +828,7 @@ class x_resource all_x_resource_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; @@ -24290,7 +23860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -715,20 +832,22 @@ +@@ -715,20 +836,22 @@ # Declarations # @@ -24316,7 +23886,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # Local Policy -@@ -746,7 +865,7 @@ +@@ -746,7 +869,7 @@ allow $3 x_server_domain:x_server getattr; # everyone can do override-redirect windows. # this could be used to spoof labels @@ -24325,7 +23895,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # everyone can receive management events on the root window # allows to know when new windows appear, among other things allow $3 manage_xevent_t:x_event receive; -@@ -755,36 +874,30 @@ +@@ -755,36 +878,30 @@ # can read server-owned resources allow $3 x_server_domain:x_resource read; # can mess with own clients @@ -24372,7 +23942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Input # can receive own events -@@ -811,6 +924,12 @@ +@@ -811,6 +928,12 @@ allow $3 manage_xevent_t:x_synthetic_event send; allow $3 client_xevent_t:x_synthetic_event send; @@ -24385,7 +23955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Selections # can use the clipboard allow $3 clipboard_xselection_t:x_selection { getattr setattr read }; -@@ -819,13 +938,15 @@ +@@ -819,13 +942,15 @@ # Other X Objects # can create and use cursors @@ -24405,7 +23975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined($3), -@@ -885,24 +1006,17 @@ +@@ -885,24 +1010,17 @@ # template(`xserver_user_x_domain_template',` gen_require(` @@ -24437,7 +24007,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow connections to X server. files_search_tmp($3) -@@ -917,16 +1031,12 @@ +@@ -917,16 +1035,12 @@ xserver_rw_session_template($1, $3, $4) xserver_use_user_fonts($1, $3) @@ -24457,7 +24027,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -958,26 +1068,43 @@ +@@ -958,26 +1072,43 @@ # template(`xserver_use_user_fonts',` gen_require(` @@ -24508,7 +24078,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Transition to a user Xauthority domain. ## ## -@@ -1003,10 +1130,77 @@ +@@ -1003,10 +1134,77 @@ # template(`xserver_domtrans_user_xauth',` gen_require(` @@ -24588,7 +24158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1036,10 +1230,10 @@ +@@ -1036,10 +1234,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -24601,7 +24171,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1225,6 +1419,25 @@ +@@ -1225,6 +1423,25 @@ ######################################## ## @@ -24627,7 +24197,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read xdm-writable configuration files. ## ## -@@ -1279,6 +1492,7 @@ +@@ -1279,6 +1496,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) @@ -24635,7 +24205,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1297,7 +1511,7 @@ +@@ -1297,7 +1515,7 @@ ') files_search_pids($1) @@ -24644,7 +24214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1320,6 +1534,24 @@ +@@ -1320,6 +1538,24 @@ ######################################## ## @@ -24669,7 +24239,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute the X server in the XDM X server domain. ## ## -@@ -1330,15 +1562,47 @@ +@@ -1330,15 +1566,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` @@ -24718,7 +24288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1488,7 +1752,7 @@ +@@ -1488,7 +1756,7 @@ type xdm_xserver_tmp_t; ') @@ -24727,7 +24297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1680,6 +1944,26 @@ +@@ -1680,6 +1948,26 @@ ######################################## ## @@ -24754,7 +24324,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## xdm xserver RW shared memory socket. ## ## -@@ -1698,6 +1982,24 @@ +@@ -1698,6 +1986,24 @@ ######################################## ## @@ -24779,7 +24349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1710,8 +2012,157 @@ +@@ -1710,8 +2016,157 @@ # interface(`xserver_unconfined',` gen_require(` @@ -24940,8 +24510,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 xdm_xproperty_t:x_property { write read }; ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.12/policy/modules/services/xserver.te ---- nsaserefpolicy/policy/modules/services/xserver.te 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/services/xserver.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/xserver.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/xserver.te 2008-10-14 15:00:15.000000000 -0400 @@ -8,6 +8,14 @@ ## @@ -25491,13 +25061,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow xdm_t iceauth_home_t:file read_file_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.5.12/policy/modules/services/zosremote.fc --- nsaserefpolicy/policy/modules/services/zosremote.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/services/zosremote.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/zosremote.fc 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,2 @@ + +/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.5.12/policy/modules/services/zosremote.if --- nsaserefpolicy/policy/modules/services/zosremote.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/services/zosremote.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/zosremote.if 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,52 @@ +## policy for z/OS Remote-services Audit dispatcher plugin + @@ -25553,7 +25123,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.te serefpolicy-3.5.12/policy/modules/services/zosremote.te --- nsaserefpolicy/policy/modules/services/zosremote.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.12/policy/modules/services/zosremote.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/services/zosremote.te 2008-10-14 15:00:15.000000000 -0400 @@ -0,0 +1,37 @@ +policy_module(zosremote,1.0.0) + @@ -25594,7 +25164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +logging_send_syslog_msg(zos_remote_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.5.12/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/application.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/application.te 2008-10-14 15:00:15.000000000 -0400 @@ -7,6 +7,12 @@ # Executables to be run by user attribute application_exec_type; @@ -25610,7 +25180,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ssh_rw_stream_sockets(application_domain_type) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.5.12/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/authlogin.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/authlogin.fc 2008-10-14 15:00:15.000000000 -0400 @@ -7,12 +7,10 @@ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -25639,7 +25209,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.5.12/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/authlogin.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/authlogin.if 2008-10-14 15:00:15.000000000 -0400 @@ -56,10 +56,6 @@ miscfiles_read_localization($1_chkpwd_t) @@ -25765,7 +25335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - optional_policy(` - nis_use_ypbind($1) + kerberos_read_keytab($1) -+ kerberos_524_connect($1) ++ kerberos_connect_524($1) ') optional_policy(` @@ -25902,7 +25472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.5.12/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/authlogin.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/authlogin.te 2008-10-14 15:00:15.000000000 -0400 @@ -59,6 +59,9 @@ type utempter_exec_t; application_domain(utempter_t,utempter_exec_t) @@ -26004,7 +25574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.5.12/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/fstools.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/fstools.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -26019,8 +25589,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.5.12/policy/modules/system/fstools.te ---- nsaserefpolicy/policy/modules/system/fstools.te 2008-08-14 10:07:04.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/fstools.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/fstools.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/fstools.te 2008-10-14 15:00:15.000000000 -0400 @@ -97,6 +97,10 @@ fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -26044,7 +25614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.5.12/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/hostname.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/hostname.te 2008-10-14 15:00:15.000000000 -0400 @@ -8,7 +8,9 @@ type hostname_t; @@ -26058,7 +25628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.5.12/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/init.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/init.fc 2008-10-14 15:00:15.000000000 -0400 @@ -4,8 +4,7 @@ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -26080,7 +25650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.5.12/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2008-09-24 10:04:55.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/init.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/init.if 2008-10-14 15:00:15.000000000 -0400 @@ -278,6 +278,27 @@ kernel_dontaudit_use_fds($1) ') @@ -26269,8 +25839,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow init_t $1:unix_dgram_socket sendto; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.12/policy/modules/system/init.te ---- nsaserefpolicy/policy/modules/system/init.te 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/init.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/init.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/init.te 2008-10-14 15:00:15.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -26422,7 +25992,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -579,6 +634,10 @@ +@@ -536,6 +591,10 @@ + ') + + optional_policy(` ++ automount_exec_config(initrc_t) ++') ++ ++optional_policy(` + bind_read_config(initrc_t) + + # for chmod in start script +@@ -575,6 +634,10 @@ dbus_read_config(initrc_t) optional_policy(` @@ -26433,7 +26014,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol networkmanager_dbus_chat(initrc_t) ') ') -@@ -664,12 +723,6 @@ +@@ -660,12 +723,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -26446,7 +26027,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ifdef(`distro_redhat',` -@@ -730,6 +783,9 @@ +@@ -726,6 +783,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -26456,7 +26037,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -742,10 +798,12 @@ +@@ -738,10 +798,12 @@ squid_manage_logs(initrc_t) ') @@ -26469,7 +26050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -763,6 +821,11 @@ +@@ -759,6 +821,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -26481,7 +26062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` unconfined_domain(initrc_t) -@@ -777,6 +840,10 @@ +@@ -773,6 +840,10 @@ ') optional_policy(` @@ -26492,7 +26073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') -@@ -799,3 +866,11 @@ +@@ -795,3 +866,11 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -26505,8 +26086,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_rw_xdm_home_files(daemon) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.5.12/policy/modules/system/ipsec.te ---- nsaserefpolicy/policy/modules/system/ipsec.te 2008-08-11 11:23:34.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/ipsec.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/ipsec.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/ipsec.te 2008-10-14 15:00:15.000000000 -0400 @@ -55,11 +55,12 @@ allow ipsec_t self:capability { net_admin dac_override dac_read_search }; @@ -26627,8 +26208,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow setkey_t ipsec_conf_file_t:dir list_dir_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.5.12/policy/modules/system/iscsi.te ---- nsaserefpolicy/policy/modules/system/iscsi.te 2008-08-11 11:23:34.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/iscsi.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/iscsi.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/iscsi.te 2008-10-14 15:00:15.000000000 -0400 @@ -28,7 +28,7 @@ # iscsid local policy # @@ -26640,7 +26221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.12/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/libraries.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/libraries.fc 2008-10-14 15:00:15.000000000 -0400 @@ -60,12 +60,15 @@ # # /opt @@ -26737,8 +26318,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.12/policy/modules/system/libraries.te ---- nsaserefpolicy/policy/modules/system/libraries.te 2008-08-13 15:24:56.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/libraries.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/libraries.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/libraries.te 2008-10-14 15:00:15.000000000 -0400 @@ -52,11 +52,11 @@ # ldconfig local policy # @@ -26796,8 +26377,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_domain(ldconfig_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.5.12/policy/modules/system/locallogin.te ---- nsaserefpolicy/policy/modules/system/locallogin.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/locallogin.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/locallogin.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/locallogin.te 2008-10-14 15:00:15.000000000 -0400 @@ -100,7 +100,6 @@ auth_rw_login_records(local_login_t) @@ -26868,7 +26449,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.5.12/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/logging.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/logging.fc 2008-10-14 15:00:15.000000000 -0400 @@ -53,10 +53,10 @@ /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) ') @@ -26892,7 +26473,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.5.12/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/logging.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/logging.if 2008-10-14 15:00:15.000000000 -0400 @@ -719,6 +719,8 @@ files_search_var($1) manage_files_pattern($1,logfile,logfile) @@ -26911,7 +26492,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.5.12/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/lvm.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/lvm.fc 2008-10-14 15:00:15.000000000 -0400 @@ -55,6 +55,7 @@ /sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -26927,7 +26508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.5.12/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/lvm.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/lvm.te 2008-10-14 15:00:15.000000000 -0400 @@ -10,6 +10,9 @@ type clvmd_exec_t; init_daemon_domain(clvmd_t,clvmd_exec_t) @@ -27109,8 +26690,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xen_dontaudit_rw_unix_stream_sockets(lvm_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.5.12/policy/modules/system/modutils.te ---- nsaserefpolicy/policy/modules/system/modutils.te 2008-09-12 10:48:05.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/modutils.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/modutils.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/modutils.te 2008-10-14 15:00:15.000000000 -0400 @@ -42,7 +42,7 @@ # insmod local policy # @@ -27242,7 +26823,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ################################# diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.5.12/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/mount.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/mount.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,4 +1,6 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -27253,7 +26834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.5.12/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/mount.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/mount.if 2008-10-14 15:00:15.000000000 -0400 @@ -49,6 +49,8 @@ mount_domtrans($1) role $2 types mount_t; @@ -27265,7 +26846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol samba_run_smbmount($1, $2, $3) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.12/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/mount.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/mount.te 2008-10-14 15:00:15.000000000 -0400 @@ -18,17 +18,18 @@ init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; @@ -27421,8 +27002,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.5.12/policy/modules/system/raid.te ---- nsaserefpolicy/policy/modules/system/raid.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/raid.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/raid.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/raid.te 2008-10-14 15:00:15.000000000 -0400 @@ -39,6 +39,7 @@ dev_dontaudit_getattr_generic_files(mdadm_t) dev_dontaudit_getattr_generic_chr_files(mdadm_t) @@ -27433,7 +27014,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_dontaudit_list_tmpfs(mdadm_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.5.12/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/selinuxutil.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/selinuxutil.fc 2008-10-14 15:00:15.000000000 -0400 @@ -38,7 +38,7 @@ /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) @@ -27457,7 +27038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.5.12/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/selinuxutil.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/selinuxutil.if 2008-10-14 15:00:15.000000000 -0400 @@ -555,6 +555,59 @@ ######################################## @@ -27890,15 +27471,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.5.12/policy/modules/system/selinuxutil.te ---- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/selinuxutil.te 2008-10-10 16:08:15.000000000 -0400 -@@ -1,5 +1,5 @@ - --policy_module(selinuxutil, 1.10.1) -+policy_module(selinuxutil, 1.10.0) - - gen_require(` - bool secure_mode; +--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/selinuxutil.te 2008-10-14 15:00:15.000000000 -0400 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -28255,7 +27829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.5.12/policy/modules/system/setrans.if --- nsaserefpolicy/policy/modules/system/setrans.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/setrans.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/setrans.if 2008-10-14 15:00:15.000000000 -0400 @@ -21,3 +21,23 @@ stream_connect_pattern($1,setrans_var_run_t,setrans_var_run_t,setrans_t) files_list_pids($1) @@ -28282,7 +27856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.5.12/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/sysnetwork.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/sysnetwork.fc 2008-10-14 15:00:15.000000000 -0400 @@ -11,6 +11,7 @@ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -28307,7 +27881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.5.12/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/sysnetwork.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/sysnetwork.if 2008-10-14 15:00:15.000000000 -0400 @@ -553,6 +553,7 @@ type net_conf_t; ') @@ -28387,8 +27961,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role_transition $1 dhcpc_exec_t system_r; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.12/policy/modules/system/sysnetwork.te ---- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-08-11 11:23:34.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/sysnetwork.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/sysnetwork.te 2008-10-14 15:00:15.000000000 -0400 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t,dhcpc_exec_t) role system_r types dhcpc_t; @@ -28561,7 +28135,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xen_append_log(ifconfig_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.5.12/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/udev.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/udev.if 2008-10-14 15:00:15.000000000 -0400 @@ -96,6 +96,24 @@ ######################################## @@ -28617,7 +28191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.5.12/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/udev.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/udev.te 2008-10-14 15:00:15.000000000 -0400 @@ -83,6 +83,7 @@ kernel_rw_unix_dgram_sockets(udev_t) kernel_dgram_send(udev_t) @@ -28626,17 +28200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) -@@ -96,9 +97,6 @@ - dev_delete_generic_files(udev_t) - dev_search_usbfs(udev_t) - dev_relabel_all_dev_nodes(udev_t) --# udev_node.c/node_symlink() symlink labels are explicitly --# preserved, instead of short circuiting the relabel --dev_relabel_generic_symlinks(udev_t) - - domain_read_all_domains_state(udev_t) - domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these -@@ -142,6 +140,7 @@ +@@ -142,6 +143,7 @@ logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) @@ -28644,7 +28208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(udev_t) -@@ -189,6 +188,7 @@ +@@ -189,6 +191,7 @@ optional_policy(` alsa_domtrans(udev_t) @@ -28652,7 +28216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol alsa_read_rw_config(udev_t) ') -@@ -197,6 +197,10 @@ +@@ -197,6 +200,10 @@ ') optional_policy(` @@ -28663,7 +28227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consoletype_exec(udev_t) ') -@@ -240,5 +244,9 @@ +@@ -240,5 +247,9 @@ ') optional_policy(` @@ -28675,7 +28239,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.12/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/unconfined.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/unconfined.fc 2008-10-14 15:00:15.000000000 -0400 @@ -2,15 +2,27 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) @@ -28715,7 +28279,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.12/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/unconfined.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/unconfined.if 2008-10-14 15:00:15.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -29045,8 +28609,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.12/policy/modules/system/unconfined.te ---- nsaserefpolicy/policy/modules/system/unconfined.te 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/unconfined.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/unconfined.te 2008-10-14 15:12:41.000000000 -0400 @@ -6,35 +6,76 @@ # Declarations # @@ -29381,7 +28945,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +domain_ptrace_all_domains(unconfined_notrans_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.5.12/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/userdomain.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/userdomain.fc 2008-10-14 15:00:15.000000000 -0400 @@ -1,4 +1,5 @@ -HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh) -HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0) @@ -29394,7 +28958,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.12/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/userdomain.if 2008-10-11 19:55:33.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/userdomain.if 2008-10-14 15:00:15.000000000 -0400 @@ -28,10 +28,14 @@ class context contains; ') @@ -30383,7 +29947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) + kerberos_use($1_usertype) -+ kerberos_524_connect($1_usertype) ++ kerberos_connect_524($1_usertype) ') optional_policy(` @@ -31989,8 +31553,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_tmpfs_filetrans($1, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.5.12/policy/modules/system/userdomain.te ---- nsaserefpolicy/policy/modules/system/userdomain.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/userdomain.te 2008-10-10 16:08:15.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/userdomain.te 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/userdomain.te 2008-10-14 15:00:15.000000000 -0400 @@ -8,13 +8,6 @@ ## @@ -32111,7 +31675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.5.12/policy/modules/system/xen.fc --- nsaserefpolicy/policy/modules/system/xen.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/xen.fc 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/xen.fc 2008-10-14 15:00:15.000000000 -0400 @@ -20,6 +20,7 @@ /var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) /var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) @@ -32122,7 +31686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.5.12/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/xen.if 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/xen.if 2008-10-14 15:00:15.000000000 -0400 @@ -167,11 +167,14 @@ # interface(`xen_stream_connect',` @@ -32166,7 +31730,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.12/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.12/policy/modules/system/xen.te 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/modules/system/xen.te 2008-10-14 15:00:15.000000000 -0400 @@ -6,6 +6,13 @@ # Declarations # @@ -32405,7 +31969,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.5.12/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/support/obj_perm_sets.spt 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/support/obj_perm_sets.spt 2008-10-14 15:00:15.000000000 -0400 @@ -316,3 +316,13 @@ # define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') @@ -32422,7 +31986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +define(`manage_key_perms', `{ create link read search setattr view write } ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.5.12/policy/users --- nsaserefpolicy/policy/users 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.12/policy/users 2008-10-10 16:08:15.000000000 -0400 ++++ serefpolicy-3.5.12/policy/users 2008-10-14 15:00:15.000000000 -0400 @@ -25,11 +25,8 @@ # permit any access to such users, then remove this entry. # diff --git a/selinux-policy.spec b/selinux-policy.spec index f346f96..bae17d2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -59,7 +59,6 @@ SELinux Base package %files %{_mandir}/* -%doc %{_usr}/share/doc/%{name}-%{version} %dir %{_usr}/share/selinux %dir %{_usr}/share/selinux/devel %dir %{_usr}/share/selinux/devel/include @@ -71,6 +70,17 @@ SELinux Base package %{_usr}/share/selinux/devel/policygentool %{_usr}/share/selinux/devel/example.* %{_usr}/share/selinux/devel/policy.* + +%package doc +Summary: SELinux policy documentation +Group: System Environment/Base +Requires(pre): selinux-policy = %{version}-%{release} + +%description doc +SELinux policy documentation package + +%files doc +%doc %{_usr}/share/doc/%{name}-%{version} %attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp %check @@ -185,7 +195,7 @@ fi; %description SELinux Reference Policy - modular. -Based off of reference policy: Checked out revision 2824. +Based off of reference policy: Checked out revision 2837. %build diff --git a/sources b/sources index a04e717..7aebee6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -6c66ffc8a5a5a5860cc5834940fa3813 serefpolicy-3.5.12.tgz +d8844e366ff99f65df95d145a5c2c1fe serefpolicy-3.5.12.tgz