++##
++## Allow Apache to use mod_auth_pam
++##
++##
++gen_tunable(allow_httpd_mod_auth_ntlm_winbind,false)
++optional_policy(`
++ tunable_policy(`allow_httpd_mod_auth_pam',`
++ samba_domtrans_winbind_helper(httpd_t)
++ ')
+ ')
tunable_policy(`httpd_can_network_connect',`
corenet_tcp_connect_all_ports(httpd_t)
@@ -7334,7 +7345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_can_network_connect_db',`
# allow httpd to connect to mysql/posgresql
corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -387,6 +437,10 @@
+@@ -387,6 +449,10 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -7345,7 +7356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -404,11 +458,21 @@
+@@ -404,11 +470,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -7367,7 +7378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -430,6 +494,12 @@
+@@ -430,6 +506,12 @@
')
optional_policy(`
@@ -7380,7 +7391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
calamaris_read_www_files(httpd_t)
')
-@@ -442,8 +512,14 @@
+@@ -442,8 +524,14 @@
')
optional_policy(`
@@ -7396,7 +7407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -457,11 +533,11 @@
+@@ -457,11 +545,11 @@
optional_policy(`
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
@@ -7409,7 +7420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -481,6 +557,7 @@
+@@ -481,6 +569,7 @@
')
optional_policy(`
@@ -7417,7 +7428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -516,6 +593,13 @@
+@@ -516,6 +605,13 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
@@ -7431,7 +7442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -553,6 +637,7 @@
+@@ -553,6 +649,7 @@
optional_policy(`
mysql_stream_connect(httpd_php_t)
@@ -7439,7 +7450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -567,7 +652,6 @@
+@@ -567,7 +664,6 @@
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
@@ -7447,7 +7458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -581,6 +665,10 @@
+@@ -581,6 +677,10 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -7458,7 +7469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -590,8 +678,7 @@
+@@ -590,8 +690,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
# for shell scripts
@@ -7468,7 +7479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -620,8 +707,6 @@
+@@ -620,8 +719,6 @@
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
@@ -7477,7 +7488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -634,6 +719,12 @@
+@@ -634,6 +731,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -7490,7 +7501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -651,18 +742,6 @@
+@@ -651,18 +754,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -7509,7 +7520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -672,7 +751,8 @@
+@@ -672,7 +763,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -7519,7 +7530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -686,15 +766,63 @@
+@@ -686,15 +778,63 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -7584,7 +7595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -707,6 +835,7 @@
+@@ -707,6 +847,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -7592,7 +7603,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -728,3 +857,46 @@
+@@ -728,3 +869,46 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -7640,8 +7651,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.0.8/policy/modules/services/apcupsd.if
---- nsaserefpolicy/policy/modules/services/apcupsd.if 2007-10-22 19:21:39.000000000 +0200
-+++ serefpolicy-3.0.8/policy/modules/services/apcupsd.if 2008-01-17 15:03:07.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/apcupsd.if 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/apcupsd.if 2008-04-04 16:11:03.000000000 -0400
@@ -90,10 +90,29 @@
##
##
@@ -7674,8 +7685,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.0.8/policy/modules/services/apcupsd.te
---- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-10-22 19:21:39.000000000 +0200
-+++ serefpolicy-3.0.8/policy/modules/services/apcupsd.te 2008-01-17 15:03:07.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/apcupsd.te 2008-04-04 16:11:03.000000000 -0400
@@ -86,6 +86,11 @@
miscfiles_read_localization(apcupsd_t)
@@ -7689,8 +7700,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
hostname_exec(apcupsd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.0.8/policy/modules/services/apm.te
---- nsaserefpolicy/policy/modules/services/apm.te 2007-10-22 19:21:39.000000000 +0200
-+++ serefpolicy-3.0.8/policy/modules/services/apm.te 2008-02-18 18:10:38.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/apm.te 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/apm.te 2008-04-04 16:11:03.000000000 -0400
@@ -190,6 +190,10 @@
dbus_stub(apmd_t)
@@ -7703,8 +7714,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.
')
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.0.8/policy/modules/services/asterisk.te
---- nsaserefpolicy/policy/modules/services/asterisk.te 2007-10-22 19:21:39.000000000 +0200
-+++ serefpolicy-3.0.8/policy/modules/services/asterisk.te 2008-01-17 15:03:07.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/asterisk.te 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/asterisk.te 2008-04-04 16:11:03.000000000 -0400
@@ -98,6 +98,7 @@
# for VOIP voice channels.
corenet_tcp_bind_generic_port(asterisk_t)
@@ -7714,8 +7725,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
dev_read_sysfs(asterisk_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.0.8/policy/modules/services/audioentropy.te
---- nsaserefpolicy/policy/modules/services/audioentropy.te 2007-10-22 19:21:36.000000000 +0200
-+++ serefpolicy-3.0.8/policy/modules/services/audioentropy.te 2008-01-17 15:03:07.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/audioentropy.te 2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/audioentropy.te 2008-04-04 16:11:03.000000000 -0400
@@ -18,7 +18,7 @@
# Local policy
#
@@ -7735,8 +7746,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audi
fs_getattr_all_fs(entropyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.fc serefpolicy-3.0.8/policy/modules/services/automount.fc
---- nsaserefpolicy/policy/modules/services/automount.fc 2007-10-22 19:21:39.000000000 +0200
-+++ serefpolicy-3.0.8/policy/modules/services/automount.fc 2008-01-17 15:03:07.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/automount.fc 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/automount.fc 2008-04-04 16:11:03.000000000 -0400
@@ -12,4 +12,6 @@
# /var
#
@@ -7746,8 +7757,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.0.8/policy/modules/services/automount.if
---- nsaserefpolicy/policy/modules/services/automount.if 2007-10-22 19:21:39.000000000 +0200
-+++ serefpolicy-3.0.8/policy/modules/services/automount.if 2008-01-30 15:23:53.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/automount.if 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/automount.if 2008-04-04 16:11:03.000000000 -0400
@@ -74,3 +74,39 @@
dontaudit $1 automount_tmp_t:dir getattr;
@@ -7789,8 +7800,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.8/policy/modules/services/automount.te
---- nsaserefpolicy/policy/modules/services/automount.te 2007-10-22 19:21:39.000000000 +0200
-+++ serefpolicy-3.0.8/policy/modules/services/automount.te 2008-02-20 14:53:32.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/automount.te 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/automount.te 2008-04-04 16:11:03.000000000 -0400
@@ -52,7 +52,8 @@
files_root_filetrans(automount_t,automount_tmp_t,dir)
@@ -7856,8 +7867,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.0.8/policy/modules/services/avahi.te
---- nsaserefpolicy/policy/modules/services/avahi.te 2007-10-22 19:21:36.000000000 +0200
-+++ serefpolicy-3.0.8/policy/modules/services/avahi.te 2008-01-17 15:03:07.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/avahi.te 2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/avahi.te 2008-04-04 16:11:03.000000000 -0400
@@ -85,6 +85,7 @@
dbus_connect_system_bus(avahi_t)
dbus_send_system_bus(avahi_t)
@@ -7867,8 +7878,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.0.8/policy/modules/services/bind.fc
---- nsaserefpolicy/policy/modules/services/bind.fc 2007-10-22 19:21:39.000000000 +0200
-+++ serefpolicy-3.0.8/policy/modules/services/bind.fc 2008-01-17 15:03:07.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/bind.fc 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/bind.fc 2008-04-04 16:11:03.000000000 -0400
@@ -45,4 +45,7 @@
/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
@@ -7878,8 +7889,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
')
+/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.0.8/policy/modules/services/bind.te
---- nsaserefpolicy/policy/modules/services/bind.te 2007-10-22 19:21:39.000000000 +0200
-+++ serefpolicy-3.0.8/policy/modules/services/bind.te 2008-01-31 15:00:00.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/bind.te 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/bind.te 2008-04-04 16:11:03.000000000 -0400
@@ -66,7 +66,6 @@
allow named_t self:unix_dgram_socket create_socket_perms;
allow named_t self:tcp_socket create_stream_socket_perms;
@@ -7992,15 +8003,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
init_use_script_ptys(ndc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.0.8/policy/modules/services/bitlbee.fc
---- nsaserefpolicy/policy/modules/services/bitlbee.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.0.8/policy/modules/services/bitlbee.fc 2008-01-17 15:03:07.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/bitlbee.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/bitlbee.fc 2008-04-04 16:11:03.000000000 -0400
@@ -0,0 +1,3 @@
+/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
+/etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0)
+/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.if serefpolicy-3.0.8/policy/modules/services/bitlbee.if
---- nsaserefpolicy/policy/modules/services/bitlbee.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.0.8/policy/modules/services/bitlbee.if 2008-01-17 15:03:07.000000000 +0100
+--- nsaserefpolicy/policy/modules/services/bitlbee.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/bitlbee.if 2008-04-04 16:11:03.000000000 -0400
@@ -0,0 +1,22 @@
+##