diff --git a/policy-F12.patch b/policy-F12.patch
index cb4e5e2..c25554c 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -306,7 +306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.32/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2009-12-21 14:18:28.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2010-01-04 11:33:37.000000000 -0500
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -346,12 +346,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
acct_domtrans(logrotate_t)
acct_manage_data(logrotate_t)
acct_exec_data(logrotate_t)
-@@ -149,6 +155,15 @@
+@@ -149,6 +155,16 @@
')
optional_policy(`
+ asterisk_exec(logrotate_t)
+ asterisk_stream_connect(logrotate_t)
++ asterisk_manage_lib_files(logrotate_t)
+')
+
+optional_policy(`
@@ -362,7 +363,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
consoletype_exec(logrotate_t)
')
-@@ -157,6 +172,10 @@
+@@ -157,6 +173,10 @@
')
optional_policy(`
@@ -373,7 +374,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_exec(logrotate_t)
')
-@@ -183,6 +202,10 @@
+@@ -183,6 +203,10 @@
')
optional_policy(`
@@ -2306,7 +2307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.6.32/policy/modules/apps/firewallgui.te
--- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.te 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.te 2010-01-04 13:36:29.000000000 -0500
@@ -0,0 +1,64 @@
+
+policy_module(firewallgui,1.0.0)
@@ -2338,8 +2339,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
+files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir })
+
-+iptables_manage_config(firewallgui_t)
-+iptables_etc_filetrans_config(firewallgui_t)
++files_manage_system_conf_files(firewallgui_t)
++files_etc_filetrans_system_conf(firewallgui_t)
+
+corecmd_exec_shell(firewallgui_t)
+corecmd_exec_bin(firewallgui_t)
@@ -6145,7 +6146,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-12-18 10:21:02.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-01-04 12:09:49.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(corenetwork, 1.12.1)
@@ -6215,16 +6216,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(ircd, tcp,6667,s0)
network_port(isakmp, udp,500,s0)
-@@ -129,7 +139,7 @@
+@@ -128,8 +138,9 @@
+ network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
++network_port(lirc, tcp,8765,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
-network_port(mail, tcp,2000,s0)
+network_port(mail, tcp,2000,s0, tcp,3905,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
-@@ -138,24 +148,33 @@
+@@ -138,24 +149,33 @@
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
@@ -6259,7 +6262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(pxe, udp,4011,s0)
network_port(pyzor, udp,24441,s0)
network_port(radacct, udp,1646,s0, udp,1813,s0)
-@@ -171,29 +190,38 @@
+@@ -171,29 +191,38 @@
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
@@ -6301,7 +6304,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -222,6 +250,8 @@
+@@ -222,6 +251,8 @@
type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
@@ -6813,7 +6816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.32/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2010-01-04 12:47:07.000000000 -0500
@@ -44,34 +44,6 @@
interface(`domain_type',`
# start with basic domain
@@ -7034,8 +7037,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.32/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2009-12-23 07:51:15.000000000 -0500
-@@ -5,6 +5,13 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2010-01-04 11:15:08.000000000 -0500
+@@ -5,6 +5,21 @@
#
# Declarations
#
@@ -7046,10 +7049,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+#
+gen_tunable(allow_domain_fd_use, true)
++
++##
++##
++## Allow all domains to have the kernel load modules
++##
++##
++#
++gen_tunable(domain_kernel_load_modules, false)
# Mark process types as domains
attribute domain;
-@@ -15,6 +22,8 @@
+@@ -15,6 +30,8 @@
# Domains that are unconfined
attribute unconfined_domain_type;
@@ -7058,7 +7069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Domains that can mmap low memory.
attribute mmap_low_domain_type;
neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
-@@ -80,6 +89,8 @@
+@@ -80,6 +97,8 @@
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
@@ -7067,17 +7078,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
-@@ -97,6 +108,9 @@
+@@ -97,6 +116,13 @@
# list the root directory
files_list_root(domain)
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
+
++tunable_policy(`domain_kernel_load_modules',`
++ kernel_request_load_module(domain)
++')
++
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs
-@@ -106,6 +120,10 @@
+@@ -106,6 +132,10 @@
')
optional_policy(`
@@ -7088,7 +7103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_use_ld_so(domain)
libs_use_shared_libs(domain)
')
-@@ -118,6 +136,7 @@
+@@ -118,6 +148,7 @@
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -7096,7 +7111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -136,6 +155,8 @@
+@@ -136,6 +167,8 @@
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -7105,7 +7120,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -153,3 +174,73 @@
+@@ -153,3 +186,73 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -7181,7 +7196,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.32/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.fc 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/files.fc 2010-01-04 13:36:29.000000000 -0500
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -7204,7 +7219,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -229,6 +232,8 @@
+@@ -62,6 +65,10 @@
+ /etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
++/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
++
+ /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
+
+ /etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
+@@ -229,6 +236,8 @@
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -7215,7 +7241,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/nfs/rpc_pipefs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-12-29 18:03:58.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2010-01-04 15:42:30.000000000 -0500
@@ -110,7 +110,11 @@
##
#
@@ -7421,7 +7447,72 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3320,6 +3442,32 @@
+@@ -3135,6 +3257,64 @@
+ allow $1 readable_t:sock_file read_sock_file_perms;
+ ')
+
++#######################################
++##
++## Read manageable system configuration files in /etc
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_read_system_conf_files',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ allow $1 etc_t:dir list_dir_perms;
++ read_files_pattern($1, etc_t, system_conf_t)
++ read_lnk_files_pattern($1, etc_t, system_conf_t)
++')
++
++######################################
++##
++## Manage manageable system configuration files in /etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_system_conf_files',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
++')
++
++###################################
++##
++## Create files in /etc with the type used for
++## the manageable system config files.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`files_etc_filetrans_system_conf',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ filetrans_pattern($1, etc_t, system_conf_t, file)
++')
++
+ ########################################
+ ##
+ ## Allow the specified type to associate
+@@ -3320,6 +3500,32 @@
########################################
##
@@ -7454,7 +7545,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Manage temporary files and directories in /tmp.
##
##
-@@ -3449,6 +3597,24 @@
+@@ -3449,6 +3655,24 @@
########################################
##
@@ -7479,7 +7570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read all tmp files.
##
##
-@@ -3515,6 +3681,8 @@
+@@ -3515,6 +3739,8 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -7488,7 +7579,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3623,7 +3791,12 @@
+@@ -3623,7 +3849,12 @@
type usr_t;
')
@@ -7502,7 +7593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3662,6 +3835,7 @@
+@@ -3662,6 +3893,7 @@
allow $1 usr_t:dir list_dir_perms;
read_files_pattern($1, usr_t, usr_t)
read_lnk_files_pattern($1, usr_t, usr_t)
@@ -7510,7 +7601,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3686,6 +3860,24 @@
+@@ -3686,6 +3918,24 @@
########################################
##
@@ -7535,7 +7626,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## dontaudit write of /usr files
##
##
-@@ -4188,6 +4380,24 @@
+@@ -4188,6 +4438,24 @@
########################################
##
@@ -7560,7 +7651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Search the /var/lib directory.
##
##
-@@ -4288,6 +4498,24 @@
+@@ -4288,6 +4556,24 @@
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -7585,7 +7676,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -4666,6 +4894,25 @@
+@@ -4619,6 +4905,24 @@
+
+ ########################################
+ ##
++## Write named generic process ID pipes
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_write_generic_pid_pipes',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:fifo_file write;
++')
++
++########################################
++##
+ ## Create an object in the process ID directory, with a private
+ ## type using a type transition.
+ ##
+@@ -4666,6 +4970,25 @@
rw_files_pattern($1, var_run_t, var_run_t)
')
@@ -7611,7 +7727,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Do not audit attempts to write to daemon runtime data files.
-@@ -4686,6 +4933,24 @@
+@@ -4686,6 +5009,24 @@
########################################
##
@@ -7636,7 +7752,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to ioctl daemon runtime data files.
##
##
-@@ -4955,7 +5220,7 @@
+@@ -4721,6 +5062,7 @@
+
+ list_dirs_pattern($1, var_t, pidfile)
+ read_files_pattern($1, pidfile, pidfile)
++ read_lnk_files_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+@@ -4955,7 +5297,7 @@
selinux_compute_member($1)
# Need sys_admin capability for mounting
@@ -7645,7 +7769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Need to give access to the directories to be polyinstantiated
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-@@ -4977,12 +5242,15 @@
+@@ -4977,12 +5319,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -7662,7 +7786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -5003,3 +5271,192 @@
+@@ -5003,3 +5348,192 @@
typeattribute $1 files_unconfined_type;
')
@@ -7857,7 +7981,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.32/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.te 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/files.te 2010-01-04 13:36:29.000000000 -0500
@@ -42,6 +42,7 @@
#
type boot_t;
@@ -7866,7 +7990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# default_t is the default type for files that do not
# match any specification in the file_contexts configuration
-@@ -52,7 +53,10 @@
+@@ -52,12 +53,24 @@
#
# etc_t is the type of the system etc directories.
#
@@ -7878,7 +8002,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_type(etc_t)
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
-@@ -193,6 +197,7 @@
+ typealias etc_t alias snmpd_etc_t;
+
++# system_conf_t is a new type of various
++# files in /etc/ that can be managed and
++# created by several domains.
++#
++type system_conf_t, configfile;
++files_type(system_conf_t)
++# compatibility aliases for removed type:
++typealias system_conf_t alias iptables_conf_t;
++
+ #
+ # etc_runtime_t is the type of various
+ # files in /etc that are automatically
+@@ -193,6 +206,7 @@
fs_associate_noxattr(file_type)
fs_associate_tmpfs(file_type)
fs_associate_ramfs(file_type)
@@ -8483,7 +8621,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Rules for all filesystem types
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.32/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/kernel.if 2009-12-23 12:55:00.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/kernel.if 2010-01-04 12:45:58.000000000 -0500
@@ -485,6 +485,25 @@
########################################
@@ -11082,7 +11220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-12-29 19:58:48.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-04 12:39:52.000000000 -0500
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -11167,7 +11305,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
sysnet_read_config(abrt_t)
-@@ -96,22 +129,91 @@
+@@ -96,22 +129,96 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -11183,8 +11321,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ nis_use_ypbind(abrt_t)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- dbus_connect_system_bus(abrt_t)
+- dbus_system_bus_client(abrt_t)
+ nsplugin_read_rw_files(abrt_t)
+ nsplugin_read_home(abrt_t)
+')
@@ -11195,10 +11335,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ policykit_read_lib(abrt_t)
+ policykit_read_reload(abrt_t)
+')
-
- optional_policy(`
-- dbus_connect_system_bus(abrt_t)
-- dbus_system_bus_client(abrt_t)
++
++optional_policy(`
+ prelink_exec(abrt_t)
+ libs_exec_ld_so(abrt_t)
+ corecmd_exec_all_executables(abrt_t)
@@ -11236,11 +11374,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow abrt_helper_t self:process signal;
+read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)
+
++domain_read_all_domains_state(abrt_helper_t)
++
+manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+
++read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
++read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
++
+files_read_etc_files(abrt_helper_t)
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
+
@@ -13227,8 +13370,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_proc_symlinks(arpwatch_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.6.32/policy/modules/services/asterisk.if
--- nsaserefpolicy/policy/modules/services/asterisk.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/asterisk.if 2009-12-18 11:46:52.000000000 -0500
-@@ -1,5 +1,43 @@
++++ serefpolicy-3.6.32/policy/modules/services/asterisk.if 2010-01-04 11:33:57.000000000 -0500
+@@ -1,5 +1,63 @@
## Asterisk IP telephony server
+#####################################
@@ -13269,12 +13412,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ can_exec($1, asterisk_exec_t)
+')
+
++########################################
++##
++## Create, read, write, and delete
++## asterisk lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`asterisk_manage_lib_files',`
++ gen_require(`
++ type asterisk_var_lib_t;
++ ')
++
++ manage_files_pattern($1, asterisk_var_lib_t, asterisk_var_lib_t)
++ files_search_var_lib($1)
++')
++
########################################
##
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.6.32/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2009-12-30 08:24:32.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2010-01-04 15:26:20.000000000 -0500
@@ -34,18 +34,21 @@
type asterisk_var_run_t;
files_pid_file(asterisk_var_run_t)
@@ -13315,7 +13478,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(asterisk_t)
corenet_all_recvfrom_netlabel(asterisk_t)
-@@ -97,16 +104,19 @@
+@@ -97,16 +104,20 @@
corenet_udp_bind_generic_node(asterisk_t)
corenet_tcp_bind_asterisk_port(asterisk_t)
corenet_udp_bind_asterisk_port(asterisk_t)
@@ -13328,6 +13491,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_sendrecv_generic_server_packets(asterisk_t)
+corenet_tcp_connect_postgresql_port(asterisk_t)
++dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
dev_read_sound(asterisk_t)
dev_write_sound(asterisk_t)
@@ -13335,7 +13499,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(asterisk_t)
-@@ -119,17 +129,29 @@
+@@ -119,17 +130,29 @@
fs_getattr_all_fs(asterisk_t)
fs_search_auto_mountpoints(asterisk_t)
@@ -13368,7 +13532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -137,10 +159,11 @@
+@@ -137,10 +160,11 @@
')
optional_policy(`
@@ -13450,7 +13614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.32/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/bind.if 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/bind.if 2010-01-04 16:22:02.000000000 -0500
@@ -235,7 +235,7 @@
########################################
@@ -13501,10 +13665,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+interface(`bind_initrc_domtrans',`
+ gen_require(`
-+ type bind_initrc_exec_t;
++ type named_initrc_exec_t;
+ ')
+
-+ init_labeled_script_domtrans($1, bind_initrc_exec_t)
++ init_labeled_script_domtrans($1, named_initrc_exec_t)
+')
+
+########################################
@@ -13512,6 +13676,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an bind environment
##
+@@ -319,7 +357,7 @@
+
+ bind_run_ndc($1, $2)
+
+- init_labeled_script_domtrans($1, bind_initrc_exec_t)
++ init_labeled_script_domtrans($1, named_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 named_initrc_exec_t system_r;
+ allow $2 system_r;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.6.32/policy/modules/services/bitlbee.te
--- nsaserefpolicy/policy/modules/services/bitlbee.te 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/bitlbee.te 2009-12-17 11:20:45.000000000 -0500
@@ -14941,8 +15114,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.32/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/cron.fc 2009-12-17 11:20:45.000000000 -0500
-@@ -14,7 +14,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/cron.fc 2010-01-04 15:31:19.000000000 -0500
+@@ -14,9 +14,10 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -14950,8 +15123,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/packagekit-cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
-@@ -45,3 +45,7 @@
+ /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
+@@ -45,3 +46,7 @@
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -15373,7 +15549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.32/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/cups.fc 2009-12-22 09:33:17.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/cups.fc 2010-01-04 11:46:23.000000000 -0500
@@ -13,10 +13,14 @@
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
@@ -15397,7 +15573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
-@@ -52,13 +57,22 @@
+@@ -52,13 +57,23 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -15408,6 +15584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/run/pipslitelp0 gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
@@ -15422,7 +15599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-12-29 20:26:54.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/cups.te 2010-01-04 16:23:30.000000000 -0500
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -15517,7 +15694,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
-@@ -317,6 +332,10 @@
+@@ -285,8 +300,10 @@
+ hal_dbus_chat(cupsd_t)
+ ')
+
++ # talk to processes that do not have policy
+ optional_policy(`
+ unconfined_dbus_chat(cupsd_t)
++ files_write_generic_pid_pipes(cupsd_t)
+ ')
+ ')
+
+@@ -317,6 +334,10 @@
')
optional_policy(`
@@ -15528,7 +15716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
udev_read_db(cupsd_t)
')
-@@ -327,7 +346,7 @@
+@@ -327,7 +348,7 @@
allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
@@ -15537,7 +15725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
-@@ -378,6 +397,8 @@
+@@ -378,6 +399,8 @@
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
@@ -15546,7 +15734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -407,6 +428,7 @@
+@@ -407,6 +430,7 @@
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -15554,7 +15742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cups_stream_connect(cupsd_config_t)
-@@ -419,12 +441,15 @@
+@@ -419,12 +443,15 @@
')
optional_policy(`
@@ -15572,7 +15760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
hal_dbus_chat(cupsd_config_t)
-@@ -446,6 +471,10 @@
+@@ -446,6 +473,10 @@
')
optional_policy(`
@@ -15583,7 +15771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rpm_read_db(cupsd_config_t)
')
-@@ -457,6 +486,10 @@
+@@ -457,6 +488,10 @@
udev_read_db(cupsd_config_t)
')
@@ -15594,7 +15782,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Cups lpd support
-@@ -542,6 +575,8 @@
+@@ -542,6 +577,8 @@
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
@@ -15603,7 +15791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(cups_pdf_t)
files_read_etc_files(cups_pdf_t)
-@@ -556,11 +591,15 @@
+@@ -556,11 +593,15 @@
miscfiles_read_fonts(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
@@ -15619,7 +15807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(cups_pdf_t)
-@@ -601,6 +640,9 @@
+@@ -601,6 +642,9 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -15629,7 +15817,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-@@ -627,6 +669,7 @@
+@@ -627,6 +671,7 @@
corenet_tcp_connect_ipp_port(hplip_t)
corenet_sendrecv_hplip_client_packets(hplip_t)
corenet_receive_hplip_server_packets(hplip_t)
@@ -15973,15 +16161,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1 devicekit_t:process { ptrace signal_perms getattr };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.32/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/devicekit.te 2009-12-18 09:06:34.000000000 -0500
-@@ -36,12 +36,15 @@
- manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
- manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
- files_pid_filetrans(devicekit_t, devicekit_var_run_t, { file dir })
-+allow devicekit_disk_t devicekit_var_run_t:dir mounton;
-
- dev_read_sysfs(devicekit_t)
- dev_read_urand(devicekit_t)
++++ serefpolicy-3.6.32/policy/modules/services/devicekit.te 2010-01-04 12:47:44.000000000 -0500
+@@ -42,6 +42,8 @@
files_read_etc_files(devicekit_t)
@@ -15990,23 +16171,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(devicekit_t)
optional_policy(`
-@@ -60,8 +63,11 @@
+@@ -60,8 +62,10 @@
# DeviceKit disk local policy
#
-allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:process signal_perms;
-+
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
-@@ -71,7 +77,10 @@
+@@ -71,29 +75,55 @@
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
++allow devicekit_disk_t devicekit_var_run_t:dir mounton;
++manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
++manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
++files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
++
++kernel_getattr_message_if(devicekit_disk_t)
+kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
+kernel_read_system_state(devicekit_disk_t)
@@ -16014,25 +16200,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_setsched(devicekit_disk_t)
corecmd_exec_bin(devicekit_disk_t)
-@@ -79,21 +88,35 @@
++corecmd_exec_shell(devicekit_disk_t)
++corecmd_getattr_all_executables(devicekit_disk_t)
+
dev_rw_sysfs(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
dev_getattr_usbfs_dirs(devicekit_disk_t)
+dev_manage_generic_files(devicekit_disk_t)
+dev_getattr_all_chr_files(devicekit_disk_t)
-+domain_read_all_domains_state(devicekit_disk_t)
-+domain_getattr_all_sockets(devicekit_disk_t)
+domain_getattr_all_pipes(devicekit_disk_t)
++domain_getattr_all_sockets(devicekit_disk_t)
++domain_getattr_all_stream_sockets(devicekit_disk_t)
++domain_read_all_domains_state(devicekit_disk_t)
+
+files_getattr_all_sockets(devicekit_disk_t)
+files_getattr_all_mountpoints(devicekit_disk_t)
+files_getattr_all_files(devicekit_disk_t)
++files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_files(devicekit_disk_t)
files_read_etc_runtime_files(devicekit_disk_t)
files_read_usr_files(devicekit_disk_t)
-+files_manage_isid_type_dirs(devicekit_disk_t)
+fs_list_inotifyfs(devicekit_disk_t)
+fs_manage_fusefs_dirs(devicekit_disk_t)
@@ -16051,7 +16240,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(devicekit_disk_t)
miscfiles_read_localization(devicekit_disk_t)
-@@ -110,6 +133,7 @@
+@@ -102,6 +132,16 @@
+ userdom_search_user_home_dirs(devicekit_disk_t)
+
+ optional_policy(`
++ dbus_system_bus_client(devicekit_disk_t)
++
++ allow devicekit_disk_t devicekit_t:dbus send_msg;
++
++ optional_policy(`
++ consolekit_dbus_chat(devicekit_disk_t)
++ ')
++')
++
++optional_policy(`
+ fstools_domtrans(devicekit_disk_t)
+ ')
+
+@@ -110,6 +150,7 @@
')
optional_policy(`
@@ -16059,23 +16265,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(devicekit_disk_t)
policykit_read_lib(devicekit_disk_t)
policykit_read_reload(devicekit_disk_t)
-@@ -134,14 +158,26 @@
- udev_read_db(devicekit_disk_t)
+@@ -120,18 +161,19 @@
')
-+
-+optional_policy(`
-+ virt_manage_images(devicekit_disk_t)
+ optional_policy(`
+- dbus_system_bus_client(devicekit_disk_t)
++ udev_domtrans(devicekit_disk_t)
++ udev_read_db(devicekit_disk_t)
+')
-+
-+optional_policy(`
+
+- allow devicekit_disk_t devicekit_t:dbus send_msg;
+
+ optional_policy(`
+- consolekit_dbus_chat(devicekit_disk_t)
+- ')
++ virt_manage_images(devicekit_disk_t)
+ ')
+
+ optional_policy(`
+- udev_domtrans(devicekit_disk_t)
+- udev_read_db(devicekit_disk_t)
+ unconfined_domain(devicekit_t)
+ unconfined_domain(devicekit_power_t)
+ unconfined_domain(devicekit_disk_t)
-+')
-+
+ ')
+
########################################
- #
+@@ -139,9 +181,10 @@
# DeviceKit-Power local policy
#
@@ -16087,7 +16303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
-@@ -151,6 +187,7 @@
+@@ -151,6 +194,7 @@
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
@@ -16095,7 +16311,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
-@@ -159,6 +196,7 @@
+@@ -159,6 +203,7 @@
domain_read_all_domains_state(devicekit_power_t)
@@ -16103,7 +16319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
-@@ -167,12 +205,17 @@
+@@ -167,12 +212,17 @@
files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
@@ -16121,20 +16337,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_read_all_users_state(devicekit_power_t)
optional_policy(`
-@@ -180,8 +223,11 @@
+@@ -180,6 +230,10 @@
')
optional_policy(`
-- dbus_system_bus_client(devicekit_power_t)
+ cron_initrc_domtrans(devicekit_power_t)
+')
-
++
+optional_policy(`
-+ dbus_system_bus_client(devicekit_power_t)
- allow devicekit_power_t devicekit_t:dbus send_msg;
+ dbus_system_bus_client(devicekit_power_t)
- optional_policy(`
-@@ -203,17 +249,23 @@
+ allow devicekit_power_t devicekit_t:dbus send_msg;
+@@ -203,17 +257,23 @@
optional_policy(`
hal_domtrans_mac(devicekit_power_t)
@@ -17743,7 +17957,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.32/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2010-01-04 12:13:31.000000000 -0500
@@ -16,13 +16,9 @@
type lircd_etc_t;
files_type(lircd_etc_t)
@@ -17759,11 +17973,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# lircd local policy
-@@ -30,19 +26,32 @@
+@@ -30,19 +26,40 @@
allow lircd_t self:process signal;
allow lircd_t self:unix_dgram_socket create_socket_perms;
+allow lircd_t self:fifo_file rw_file_perms;
++allow lircd_t self:tcp_socket create_stream_socket_perms;
# etc file
read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
@@ -17774,6 +17989,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file })
++corenet_tcp_bind_generic_node(lircd_t)
++corenet_tcp_bind_lirc_port(lircd_t)
++corenet_tcp_connect_lirc_port(lircd_t)
++corenet_tcp_sendrecv_all_ports(lircd_t)
++corenet_tcp_sendrecv_generic_if(lircd_t)
++
# /dev/lircd socket
-manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
-dev_filetrans(lircd_t, lircd_sock_t, sock_file )
@@ -17784,17 +18005,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+dev_rw_lirc(lircd_t)
+dev_rw_input_dev(lircd_t)
+
-+term_use_ptmx(lircd_t)
-
- logging_send_syslog_msg(lircd_t)
-
-+files_read_etc_files(lircd_t)
+files_list_var(lircd_t)
+files_manage_generic_locks(lircd_t)
+files_read_all_locks(lircd_t)
++files_read_etc_files(lircd_t)
+
++term_use_ptmx(lircd_t)
+
+ logging_send_syslog_msg(lircd_t)
+
miscfiles_read_localization(lircd_t)
+
++sysnet_dns_name_resolve(lircd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.32/policy/modules/services/mailman.fc
--- nsaserefpolicy/policy/modules/services/mailman.fc 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/mailman.fc 2009-12-30 08:17:22.000000000 -0500
@@ -18171,7 +18393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send a generic signal to MySQL.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2009-12-29 09:05:26.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2010-01-04 11:01:45.000000000 -0500
@@ -1,6 +1,13 @@
policy_module(mysql, 1.11.0)
@@ -18198,12 +18420,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_redhat',`
# because Fedora has the sock_file in the database directory
type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
-@@ -131,15 +143,24 @@
+@@ -131,15 +143,25 @@
# Local mysqld_safe policy
#
-allow mysqld_safe_t self:capability { dac_override fowner chown };
+allow mysqld_safe_t self:capability { kill dac_override fowner chown };
++dontaudit mysqld_safe_t self:capability sys_ptrace;
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
@@ -18224,7 +18447,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_list_sysfs(mysqld_safe_t)
-@@ -152,7 +173,7 @@
+@@ -152,7 +174,7 @@
miscfiles_read_localization(mysqld_safe_t)
@@ -23972,7 +24195,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2009-12-29 19:04:54.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-01-04 16:02:47.000000000 -0500
@@ -66,6 +66,13 @@
##
gen_tunable(samba_share_nfs, false)
@@ -24135,7 +24358,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# smbmount Local policy
-@@ -638,6 +673,10 @@
+@@ -618,7 +653,7 @@
+ # SWAT Local policy
+ #
+
+-allow swat_t self:capability { setuid setgid sys_resource };
++allow swat_t self:capability { dac_override setuid setgid sys_resource };
+ allow swat_t self:process { setrlimit signal_perms };
+ allow swat_t self:fifo_file rw_fifo_file_perms;
+ allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+@@ -638,11 +673,13 @@
allow swat_t smbd_var_run_t:file { lock unlink };
@@ -24146,7 +24378,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
-@@ -657,7 +696,7 @@
+-append_files_pattern(swat_t, samba_log_t, samba_log_t)
+-
+ allow swat_t smbd_exec_t:file mmap_file_perms ;
+
+ allow swat_t smbd_t:process signull;
+@@ -657,7 +694,7 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -24155,7 +24392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -700,6 +739,8 @@
+@@ -700,6 +737,8 @@
miscfiles_read_localization(swat_t)
@@ -24164,7 +24401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -713,12 +754,23 @@
+@@ -713,12 +752,23 @@
kerberos_use(swat_t)
')
@@ -24172,7 +24409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+init_dontaudit_write_utmp(swat_t)
+
+manage_dirs_pattern(swat_t, samba_log_t, samba_log_t)
-+create_files_pattern(swat_t, samba_log_t, samba_log_t)
++manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+
+manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
+
@@ -24189,7 +24426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
-@@ -866,6 +918,18 @@
+@@ -866,6 +916,18 @@
#
optional_policy(`
@@ -24208,7 +24445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -876,9 +940,12 @@
+@@ -876,9 +938,12 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -27448,7 +27685,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-12-29 16:41:42.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-01-04 13:36:29.000000000 -0500
@@ -8,6 +8,13 @@
##
@@ -27622,7 +27859,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+files_read_usr_src_files(virtd_t)
+
+# Manages /etc/sysconfig/system-config-firewall
-+iptables_manage_config(virtd_t)
++files_manage_system_conf_files(virtd_t)
+files_manage_etc_files(virtd_t)
fs_list_auto_mountpoints(virtd_t)
@@ -31286,7 +31523,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-12-29 17:01:11.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2010-01-04 09:24:03.000000000 -0500
@@ -6,6 +6,13 @@
# Declarations
#
@@ -31367,13 +31604,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
-@@ -82,16 +107,17 @@
+@@ -82,16 +107,18 @@
# so try flipping back into the ipsec_mgmt_t domain
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
-allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
+allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_t:process sigchld;
++sysnet_domtrans_ifconfig(ipsec_t)
-kernel_read_kernel_sysctls(ipsec_t)
kernel_list_proc(ipsec_t)
@@ -31387,7 +31625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_getattr_core_if(ipsec_t)
kernel_getattr_message_if(ipsec_t)
-@@ -120,7 +146,9 @@
+@@ -120,7 +147,9 @@
domain_use_interactive_fds(ipsec_t)
@@ -31397,7 +31635,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
-@@ -153,17 +181,21 @@
+@@ -153,17 +182,21 @@
# ipsec_mgmt Local policy
#
@@ -31422,7 +31660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
-@@ -241,6 +273,7 @@
+@@ -241,6 +274,7 @@
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
@@ -31430,7 +31668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(ipsec_mgmt_t)
-@@ -280,6 +313,13 @@
+@@ -280,6 +314,13 @@
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
allow racoon_t self:key_socket create_socket_perms;
@@ -31444,7 +31682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# manage pid file
manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -296,6 +336,14 @@
+@@ -296,6 +337,14 @@
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
@@ -31459,7 +31697,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_sendrecv_all_if(racoon_t)
-@@ -314,6 +362,8 @@
+@@ -314,6 +363,8 @@
files_read_etc_files(racoon_t)
@@ -31468,7 +31706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# allow racoon to use avc_has_perm to check context on proposed SA
selinux_compute_access_vector(racoon_t)
-@@ -328,6 +378,14 @@
+@@ -328,6 +379,14 @@
miscfiles_read_localization(racoon_t)
@@ -31483,7 +31721,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Setkey local policy
-@@ -341,12 +399,15 @@
+@@ -341,12 +400,15 @@
read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
@@ -31499,7 +31737,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-@@ -358,3 +419,5 @@
+@@ -358,3 +420,5 @@
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
@@ -31507,15 +31745,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+userdom_read_user_tmp_files(setkey_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.32/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/iptables.fc 2009-12-17 11:20:47.000000000 -0500
-@@ -1,7 +1,16 @@
++++ serefpolicy-3.6.32/policy/modules/system/iptables.fc 2010-01-04 13:36:29.000000000 -0500
+@@ -1,7 +1,13 @@
-/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
+/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+
-+/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-+
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -31531,7 +31766,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.6.32/policy/modules/system/iptables.if
--- nsaserefpolicy/policy/modules/system/iptables.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/iptables.if 2009-12-17 11:20:47.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/iptables.if 2010-01-04 13:36:29.000000000 -0500
@@ -19,6 +19,24 @@
domtrans_pattern($1, iptables_exec_t, iptables_t)
')
@@ -31557,106 +31792,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Execute iptables in the iptables domain, and
-@@ -69,3 +87,82 @@
- corecmd_search_bin($1)
- can_exec($1, iptables_exec_t)
- ')
-+
-+#####################################
-+##
-+## Set the attributes of iptables config files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`iptables_setattr_config',`
-+ gen_require(`
-+ type iptables_conf_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 iptables_conf_t:file setattr;
-+')
-+
-+#####################################
-+##
-+## Read iptables config files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`iptables_read_config',`
-+ gen_require(`
-+ type iptables_conf_t;
-+ ')
-+
-+ files_search_etc($1)
-+ allow $1 iptables_conf_t:dir list_dir_perms;
-+ read_files_pattern($1, iptables_conf_t, iptables_conf_t)
-+')
-+
-+#####################################
-+##
-+## Create files in /etc with the type used for
-+## the iptables config files.
-+##
-+##
-+##
-+## The type of the process performing this action.
-+##
-+##
-+#
-+interface(`iptables_etc_filetrans_config',`
-+ gen_require(`
-+ type iptables_conf_t;
-+ ')
-+
-+ files_etc_filetrans($1, iptables_conf_t, file)
-+')
-+
-+###################################
-+##
-+## Manage iptables config files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`iptables_manage_config',`
-+ gen_require(`
-+ type iptables_conf_t;
-+ type etc_t;
-+ ')
-+
-+ files_search_etc($1)
-+ manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
-+')
-+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2009-12-18 08:52:31.000000000 -0500
-@@ -11,6 +11,12 @@
++++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2010-01-04 13:36:29.000000000 -0500
+@@ -11,6 +11,9 @@
init_system_domain(iptables_t, iptables_exec_t)
role system_r types iptables_t;
+type iptables_initrc_exec_t;
+init_script_file(iptables_initrc_exec_t)
+
-+type iptables_conf_t;
-+files_config_file(iptables_conf_t)
-+
type iptables_tmp_t;
files_tmp_file(iptables_tmp_t)
-@@ -24,9 +30,14 @@
+@@ -24,9 +27,14 @@
allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
dontaudit iptables_t self:capability sys_tty_config;
@@ -31665,13 +31814,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:rawip_socket create_socket_perms;
-+manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
-+files_etc_filetrans(iptables_t, iptables_conf_t, file)
++files_manage_system_conf_files(iptables_t)
++files_etc_filetrans_system_conf(iptables_t)
+
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
files_pid_filetrans(iptables_t, iptables_var_run_t, file)
-@@ -36,6 +47,7 @@
+@@ -36,6 +44,7 @@
allow iptables_t iptables_tmp_t:file manage_file_perms;
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
@@ -31679,7 +31828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
kernel_read_kernel_sysctls(iptables_t)
-@@ -53,6 +65,7 @@
+@@ -53,6 +62,7 @@
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
@@ -31687,7 +31836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(iptables_t)
-@@ -79,6 +92,7 @@
+@@ -79,6 +89,7 @@
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -31695,7 +31844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -100,6 +114,10 @@
+@@ -100,6 +111,10 @@
')
optional_policy(`
@@ -31706,7 +31855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rhgb_dontaudit_use_ptys(iptables_t)
')
-@@ -108,5 +126,10 @@
+@@ -108,5 +123,10 @@
')
optional_policy(`
@@ -31819,7 +31968,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+permissive kdump_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-12-31 08:59:58.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-04 11:01:53.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -32027,7 +32176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') dnl end distro_redhat
#
-@@ -307,10 +309,131 @@
+@@ -307,10 +309,132 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
@@ -32159,6 +32308,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.32/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/system/libraries.if 2009-12-17 11:20:47.000000000 -0500
@@ -33152,7 +33302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.32/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/mount.if 2009-12-22 09:40:10.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/mount.if 2010-01-04 11:25:54.000000000 -0500
@@ -16,6 +16,61 @@
')
@@ -33215,7 +33365,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -51,6 +107,32 @@
+@@ -42,8 +97,11 @@
+ ')
+
+ mount_domtrans($1)
++
+ role $2 types mount_t;
+
++ fstools_run(mount_t, $2)
++
+ optional_policy(`
+ samba_run_smbmount($1, $2)
+ ')
+@@ -51,6 +109,32 @@
########################################
##
@@ -33248,7 +33410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute mount in the caller domain.
##
##
-@@ -84,9 +166,11 @@
+@@ -84,9 +168,11 @@
interface(`mount_signal',`
gen_require(`
type mount_t;
@@ -33262,7 +33424,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2009-12-18 08:32:13.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-01-04 12:19:29.000000000 -0500
@@ -18,8 +18,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -33399,18 +33561,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_redhat',`
optional_policy(`
-@@ -132,6 +171,10 @@
+@@ -132,6 +171,12 @@
')
')
+corecmd_exec_shell(mount_t)
+
++fstools_domtrans(mount_t)
++
+modutils_domtrans_insmod(mount_t)
+
tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_shadow(mount_t)
auth_read_all_files_except_shadow(mount_t)
-@@ -165,6 +208,8 @@
+@@ -165,6 +210,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -33419,7 +33583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -172,6 +217,25 @@
+@@ -172,6 +219,25 @@
')
optional_policy(`
@@ -33445,7 +33609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -179,6 +243,11 @@
+@@ -179,6 +245,11 @@
')
')
@@ -33457,7 +33621,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -186,6 +255,7 @@
+@@ -186,6 +257,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -33465,7 +33629,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -195,5 +265,8 @@
+@@ -195,5 +267,9 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
@@ -33473,6 +33637,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ unconfined_domain_noaudit(unconfined_mount_t)
+
+ rpc_domtrans_rpcd(unconfined_mount_t)
++ devicekit_dbus_chat_disk(unconfined_mount_t)
')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.fc serefpolicy-3.6.32/policy/modules/system/raid.fc
@@ -34359,7 +34524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.32/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2009-12-27 08:20:17.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2010-01-04 09:38:12.000000000 -0500
@@ -43,6 +43,36 @@
sysnet_domtrans_dhcpc($1)
@@ -35711,7 +35876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.gvfs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-31 08:43:42.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-31 09:27:26.000000000 -0500
@@ -30,8 +30,9 @@
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 21c8a99..3ba05ca 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 65%{?dist}
+Release: 66%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,9 @@ exit 0
%endif
%changelog
+* Mon Jan 4 2010 Dan Walsh 3.6.32-66
+- Allow lircd to use tcp_socket and connect/bind to port 8675
+
* Wed Dec 30 2009 Dan Walsh 3.6.32-65
- Allow traceroute to use all terms
- Fix mgetty use for faxes