++##
++## Allow all domains to have the kernel load modules
++##
++##
++#
++gen_tunable(domain_kernel_load_modules, false)
# Mark process types as domains
attribute domain;
-@@ -15,6 +22,8 @@
+@@ -15,6 +30,8 @@
# Domains that are unconfined
attribute unconfined_domain_type;
@@ -7058,7 +7069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Domains that can mmap low memory.
attribute mmap_low_domain_type;
neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
-@@ -80,6 +89,8 @@
+@@ -80,6 +97,8 @@
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
@@ -7067,17 +7078,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
-@@ -97,6 +108,9 @@
+@@ -97,6 +116,13 @@
# list the root directory
files_list_root(domain)
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
+
++tunable_policy(`domain_kernel_load_modules',`
++ kernel_request_load_module(domain)
++')
++
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs
-@@ -106,6 +120,10 @@
+@@ -106,6 +132,10 @@
')
optional_policy(`
@@ -7088,7 +7103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_use_ld_so(domain)
libs_use_shared_libs(domain)
')
-@@ -118,6 +136,7 @@
+@@ -118,6 +148,7 @@
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -7096,7 +7111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -136,6 +155,8 @@
+@@ -136,6 +167,8 @@
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -7105,7 +7120,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -153,3 +174,73 @@
+@@ -153,3 +186,73 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -7181,7 +7196,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.32/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.fc 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/files.fc 2010-01-04 13:36:29.000000000 -0500
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -7204,7 +7219,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -229,6 +232,8 @@
+@@ -62,6 +65,10 @@
+ /etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
++/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
++
+ /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
+
+ /etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
+@@ -229,6 +236,8 @@
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -7215,7 +7241,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/nfs/rpc_pipefs(/.*)? <