##
## Allow qemu to connect fully to the network
-@@ -13,16 +16,118 @@
+@@ -13,16 +16,120 @@
##
gen_tunable(qemu_full_network, false)
@@ -5714,8 +5714,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te
+manage_files_pattern(qemu_t, qemu_cache_t, qemu_cache_t)
+files_var_filetrans(qemu_t, qemu_cache_t, { file dir })
+
++manage_dirs_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t)
-+files_pid_filetrans(qemu_t, qemu_var_run_t, file)
++manage_lnk_files_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t)
++files_pid_filetrans(qemu_t, qemu_var_run_t, { file dir })
+
+kernel_read_system_state(qemutype)
+
@@ -5781,7 +5783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
-@@ -35,6 +140,38 @@
+@@ -35,6 +142,38 @@
corenet_tcp_connect_all_ports(qemu_t)
')
@@ -6654,8 +6656,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te se
+wm_domain_template(user,xdm)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-10-17 14:49:14.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2009-02-10 15:07:15.000000000 +0100
-@@ -129,6 +129,9 @@
++++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2009-02-26 15:48:02.000000000 +0100
+@@ -123,12 +123,17 @@
+
+ /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
++/opt/real/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
++
+ ifdef(`distro_gentoo',`
+ /opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
+ /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -6665,7 +6675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
#
# /usr
#
-@@ -176,6 +179,8 @@
+@@ -176,6 +181,8 @@
/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
@@ -6674,7 +6684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -184,10 +189,8 @@
+@@ -184,10 +191,8 @@
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -6687,7 +6697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -202,6 +205,7 @@
+@@ -202,6 +207,7 @@
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -6695,7 +6705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-@@ -222,14 +226,15 @@
+@@ -222,14 +228,15 @@
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -6713,7 +6723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
-@@ -292,3 +297,14 @@
+@@ -292,3 +299,14 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -10806,7 +10816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.5.13/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/apache.fc 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/apache.fc 2009-02-26 15:55:33.000000000 +0100
@@ -1,16 +1,18 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -10854,7 +10864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -47,11 +54,14 @@
+@@ -47,11 +54,16 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -10863,13 +10873,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+
++/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -64,11 +74,23 @@
+@@ -64,11 +76,23 @@
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -16367,7 +16379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.5.13/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/dovecot.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/dovecot.te 2009-02-25 19:29:32.000000000 +0100
@@ -15,12 +15,21 @@
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -16484,7 +16496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
-@@ -185,5 +217,53 @@
+@@ -185,5 +217,55 @@
')
optional_policy(`
@@ -16521,6 +16533,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+
+files_read_etc_files(dovecot_deliver_t)
+files_read_etc_runtime_files(dovecot_deliver_t)
++files_search_tmp(dovecot_deliver_t)
++fs_getattr_all_fs(dovecot_deliver_t)
+
+auth_use_nsswitch(dovecot_deliver_t)
+
@@ -17582,6 +17596,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kern
kernel_read_ring_buffer(kerneloops_t)
# Init script handling
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.5.13/policy/modules/services/ktalk.te
+--- nsaserefpolicy/policy/modules/services/ktalk.te 2008-10-17 14:49:13.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/services/ktalk.te 2009-02-25 19:56:42.000000000 +0100
+@@ -69,6 +69,7 @@
+ files_read_etc_files(ktalkd_t)
+
+ term_search_ptys(ktalkd_t)
++term_use_all_terms(ktalkd_t)
+
+ auth_use_nsswitch(ktalkd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.5.13/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/ldap.te 2009-02-10 15:07:15.000000000 +0100
@@ -18623,7 +18648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.5.13/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/mysql.if 2009-02-10 17:48:59.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/mysql.if 2009-02-26 16:00:52.000000000 +0100
@@ -53,9 +53,11 @@
interface(`mysql_stream_connect',`
gen_require(`
@@ -18645,7 +18670,59 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
')
########################################
-@@ -157,7 +159,26 @@
+@@ -120,6 +122,25 @@
+ allow $1 mysqld_db_t:dir rw_dir_perms;
+ ')
+
++#######################################
++##